{"id":14078,"date":"2026-07-04T10:03:43","date_gmt":"2026-07-04T10:03:43","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/04\/multiple-fatfs-vulnerabilities-expose-millions-of-embedded-devices-to-cyber-risks\/"},"modified":"2026-07-04T10:03:43","modified_gmt":"2026-07-04T10:03:43","slug":"multiple-fatfs-vulnerabilities-expose-millions-of-embedded-devices-to-cyber-risks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/04\/multiple-fatfs-vulnerabilities-expose-millions-of-embedded-devices-to-cyber-risks\/","title":{"rendered":"Multiple FatFs Vulnerabilities Expose Millions of Embedded Devices to Cyber Risks"},"content":{"rendered":"<p>    Multiple FatFs Vulnerabilities Expose Millions of Embedded Devices to Cyber Risks<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">Security researchers at runZero have disclosed seven new CVEs affecting FatFs, the ubiquitous lightweight FAT\/exFAT filesystem driver used across embedded and IoT ecosystems.<\/p>\n<p class=\"wp-block-paragraph\">The vulnerabilities range from CVSS Medium to High, with no Critical-rated findings, but their reach is significant: FatFs underpins platforms including Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr RTOS, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and SWUpdate, extending into consumer IoT, industrial controllers, drones, and crypto wallets.<\/p>\n<p class=\"wp-block-paragraph\">The research revisits a 2017 manual audit and fuzzing effort that surfaced only minor bugs. In March 2026, runZero reapproached the codebase using Visual Studio Code and <a href=\"https:\/\/cybersecuritynews.com\/hackers-exploit-github-copilot-flaw\/\" target=\"_blank\" rel=\"noreferrer noopener\">GitHub Copilot<\/a> in \u201cauto\u201d mode, without custom harnesses or fuzzing loops.<\/p>\n<p class=\"wp-block-paragraph\">The LLM-assisted approach uncovered previously overlooked bugs and helped validate real-world exploitability across multiple embedded scenarios, highlighting the growing role of AI in long-tail <a href=\"https:\/\/cybersecuritynews.com\/cisa-warns-of-supply-chain-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">supply chain vulnerability<\/a> research.<\/p>\n<h2 id=\"h-fatfs-vulnerabilities\" class=\"wp-block-heading\"><strong>FatFs Vulnerabilities<\/strong><\/h2>\n<p class=\"wp-block-paragraph\"><strong>CVE-2026-6682<\/strong> (CVSS 7.6, High) \u2014 Integer overflow in mount_volume() during FAT32 mounting produces attacker-controlled file-size metadata, potentially leading to heap or stack overflow and code execution.<\/p>\n<p class=\"wp-block-paragraph\"><strong>CVE-2026-6687<\/strong> (CVSS 7.6, High) \u2014 An uncapped exFAT label-length field in f_getlabel() enables oversized writes into caller-provided stack buffers, creating a clean memory-corruption primitive.<\/p>\n<p class=\"wp-block-paragraph\"><strong>CVE-2026-6688<\/strong> (CVSS 7.6, High) \u2014 When long filenames (LFN) are enabled, oversized fno.fname values overflow fixed-size buffers in downstream callers using <math xmlns=\"http:\/\/www.w3.org\/1998\/Math\/MathML\"><semantics><mrow><mi>s<\/mi><mi>t<\/mi><mi>r<\/mi><mi>c<\/mi><mi>p<\/mi><mi>y<\/mi><\/mrow><annotation encoding=\"application\/x-tex\">strcpy<\/annotation><\/semantics><\/math>strcpy or <math xmlns=\"http:\/\/www.w3.org\/1998\/Math\/MathML\"><semantics><mrow><mi>s<\/mi><mi>p<\/mi><mi>r<\/mi><mi>i<\/mi><mi>n<\/mi><mi>t<\/mi><mi>f<\/mi><\/mrow><annotation encoding=\"application\/x-tex\">sprintf<\/annotation><\/semantics><\/math>sprintf. Fixing this fully requires wrapper-level changes, though FatFs could improve truncation signaling.<\/p>\n<p class=\"wp-block-paragraph\"><strong>CVE-2026-6685<\/strong> (CVSS 6.1, Medium) \u2014 Unsigned-subtraction wraparound in dirty-cache handling on fragmented volumes causes stale cache behavior and out-of-bounds memory effects, risking silent data corruption.<\/p>\n<p class=\"wp-block-paragraph\"><strong>CVE-2026-6683<\/strong> (CVSS 4.6, Medium) \u2014 A divide-by-zero in exFAT sync\/write paths, triggerable via crafted media, creates reliable crash conditions \u2014 particularly concerning for OTA update processes.<\/p>\n<p class=\"wp-block-paragraph\"><strong>CVE-2026-6686<\/strong> (CVSS 4.6, Medium) \u2014 Seeking beyond EOF exposes uninitialized cluster data, leaking stale content from previously deleted files in shared-media or multi-stage boot environments.<\/p>\n<p class=\"wp-block-paragraph\"><strong>CVE-2026-6684<\/strong> (CVSS 4.6, Medium) \u2014 Pre-R0.16 implementations lack GPT entry-count validation, allowing unbounded partition-scan loops and mount-time denial-of-service. Upstream R0.16 already addresses this; the burden now falls on downstream upgrades.<\/p>\n<p class=\"wp-block-paragraph\">These flaws are triggerable through crafted FAT, exFAT, or GPT images via removable media or auto-mounted update channels. Devices lacking ASLR and memory protection, common in embedded contexts, mean that physical access can translate directly into a full compromise.<\/p>\n<p class=\"wp-block-paragraph\">Affected device classes include security cameras, ATMs, voting machines, and any hardware with USB or SD card interfaces accessible to the public.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.runzero.com\/blog\/fatfs-bugs\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">runZero attempted multiple times<\/a> to contact the FatFs maintainer and involved JPCERT\/CC early in the process, but received no response. Because most implementers maintain heavily vendored, locally modified versions of FatFs, upstream patches require careful validation before adoption.<\/p>\n<p class=\"wp-block-paragraph\">Downstream implementers are urged to audit vendored FatFs code, review filename and file-size handling in wrappers, and prepare for patch rollouts.<\/p>\n<p class=\"has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>\u00a0Strengthen Your SOC by Accelerating Threat Detection &amp; Rapid Investigations.\u00a0-&gt; <a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Integrate ANY.RUN With Your SOC <\/a><strong><a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Now<\/a><\/strong>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/fatfs-vulnerabilities\/\">Multiple FatFs Vulnerabilities Expose Millions of Embedded Devices to Cyber Risks<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/fatfs-vulnerabilities\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Multiple FatFs Vulnerabilities Expose Millions of Embedded Devices to Cyber Risks Security researchers at runZero have disclosed seven new CVEs affecting FatFs, the ubiquitous lightweight FAT\/exFAT filesystem driver used across embedded and IoT ecosystems. The vulnerabilities range from CVSS Medium to High, with no Critical-rated findings, but their reach is significant: FatFs underpins platforms including [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-14078","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14078"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14078"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14078\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14078"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14078"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14078"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}