Home/ Blog/ Security news/ Article
Blog · Security news

AI reopened a 2017-audited filesystem and found seven bugs your devices can't patch

runZero found seven flaws in FatFs, the filesystem inside millions of cameras, drones and controllers. No upstream patch exists. How to detect and contain it.

Translucent glass devices linked by one circuit ribbon cracked open in several places

The fix most people need for the FatFs flaws is not theirs to ship. In early July 2026 the security firm runZero disclosed seven vulnerabilities in FatFs, a compact filesystem library that devices use to read and write FAT and exFAT storage, the layout on most USB sticks and memory cards. That library is baked into firmware on drones, security cameras, industrial controllers, hardware wallets, and much more, all built on real-time operating systems. Six of the seven have no upstream fix, and the sole maintainer did not respond to the researchers. So this is not a patch-and-move-on story. It is a threat-modeling and detection story.

Coverage from The Hacker News and Security Affairs framed this as an embedded-device patch problem. For almost everyone reading, it is not, because you do not control the firmware where this code lives. The useful questions are narrower: where does it run in your fleet, how would an attacker reach it, and how would you know if one did.

What runZero found in FatFs

Seven flaws, spread across the code that parses a volume and handles filenames. Three rate high at CVSS 7.6 and can lead to memory corruption and code execution on affected hardware. One is a medium 6.1, and the last three sit at 4.6. Only the lowest-impact denial-of-service bug, CVE-2026-6684, has a fix upstream, shipped in release R0.16. The other six do not.

CVEFlawCVSSAffects
CVE-2026-6682Integer overflow while mounting a FAT32 volume, leads to memory corruption7.6FAT32 and exFAT
CVE-2026-6687Buffer overflow while reading an exFAT volume label7.6exFAT
CVE-2026-6688Long-filename overflow in wrapper code that copies the name7.6FAT32 and exFAT
CVE-2026-6685Unsigned math wrap in cache handling on fragmented volumes6.1FAT32 and exFAT
CVE-2026-6683Divide-by-zero on write that can brick a device mid-update4.6exFAT
CVE-2026-6686Reads past a file and leaks stale, possibly deleted, data4.6FAT32 and exFAT
CVE-2026-6684Malformed partition table hangs the mount (fixed in R0.16)4.6FAT32 and exFAT
The seven FatFs flaws disclosed by runZero. Source: runZero advisory, The Hacker News, and Security Affairs.

The three high-severity bugs matter most. runZero notes that the embedded targets carrying this library usually lack the memory protections a phone or laptop has, no address-space randomization and no hardware memory guards, so a buffer that overflows tends to become reliable code execution rather than a crash. On that class of device, the firm's point was blunt: brief physical access to a machine anyone can touch should not hand over the whole device, but here it does.

Why "no new commits" stopped meaning "no new bugs"

The part of this disclosure that should change how you think about dependencies is how the bugs were found. runZero went back to a FatFs assessment it had run in 2017 and pointed an off-the-shelf coding assistant at the same source, in an automatic mode, with plain prompts. The assistant wrote a fuzzer that turned up flaws the earlier manual review had walked straight past, then showed they could be triggered in practice. Code a skilled human read and cleared eight years ago gave up seven new bugs in days.

That is the real headline for defenders, and no advisory framed it this way: a clean audit in the past is no longer evidence a dependency is safe now. "No new commits" has quietly stopped meaning "no new bugs." The cheap, fast fuzzing that used to need a specialist is available to anyone now, including the people writing exploits, which is the shift we flagged when Washington put export controls on an AI good at finding bugs. Old, stable, widely embedded code is the softest target precisely because everyone assumed it was settled. Expect more disclosures like this against libraries that have not changed in years.

The patch you want is not yours to ship

FatFs is maintained by one developer. runZero says it tried repeatedly to reach that person and looped in Japan's national coordination center, JPCERT/CC, early on, and got no answer. There is no coordinated upstream fix for the six memory and logic bugs. That inverts the normal patch flow. Usually you wait for a vendor release and deploy it. Here the fix, if it comes at all, has to be written and carried by every downstream project that copied the library into its own tree.

And the downstream reach is large. runZero lists mainstream platforms that bundle it, among them Espressif's ESP-IDF, STMicroelectronics' STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung's TizenRT, and the SWUpdate updater. Each of those, and every product built on them, now owns the patch decision on its own, and many keep local modifications that change how the flaws present. This is the same structural problem we saw when a Node dependency fix could not reach most of the apps that shipped it: the fix exists in a place disconnected from where the code runs. Public proof-of-concept images already sit in runZero's repository, so the exploitation research is done and shared while the fixes are not.

Physical access is the obvious way in. Firmware updates are the quiet one.

The headline vector is removable media. An attacker who can get a rigged USB stick or SD card into a device, a camera with a card slot, a kiosk, an ATM, a voting machine, triggers the parser on mount and, on an unprotected target, runs code. That threat is real for anything the public can touch, and it is why physical-access assumptions on embedded gear need a fresh look.

The quieter path deserves more of your attention. runZero says two of the flaws, the FAT32 integer overflow and the exFAT divide-by-zero, are implicated in some over-the-air firmware update processes, where a device automatically mounts a crafted update image. That detail changes the risk math. If your update channel does not cryptographically verify an image before mounting it, an unsigned or tampered update turns a "needs hands on the device" bug into a remotely triggerable one. The single most useful thing many teams can do here has nothing to do with FatFs: sign and verify your firmware update path, because that is what decides whether these bugs stay physical or go remote.

Treat FatFs as an inventory-and-detection problem

You cannot patch what you cannot reach, so the work is knowing where the exposure lives and catching the second stage if it fires. Four things, in order:

  • Inventory the exposure. Find the embedded and IoT devices on your network that run a real-time OS with FAT or exFAT storage: cameras, controllers, drones, kiosks, single-board gear. Ask vendors whether their firmware bundles FatFs and which version. This is the same vulnerability-detection discipline you apply to servers, pointed at the devices most inventories skip.
  • Harden the two reachable channels. Restrict physical and removable-media access to devices the public can touch, and require signed, verified firmware images on every update path so the two update-triggerable bugs stay out of reach.
  • Watch the second stage, not the overflow. The memory corruption itself happens inside a device with no logs you will ever see, so a network sensor cannot catch it. What it can catch is what comes next: a jailbroken camera or controller beaconing out, scanning, or pivoting into the rest of your network. That is a threat-hunting and detection problem, and it is where a managed detection service earns its keep, by treating a quiet embedded device that suddenly behaves like a foothold as an alert, not noise.
  • Assume you carry this for years. With one unresponsive maintainer and dozens of downstream forks, there is no date by which this is "fixed." Fold the exposure into your standing threat model the way you already treat old, unpatchable gear you cannot rip out yet, like the edge devices that turned a patch backlog into an INC ransomware incident.

The instinct on a seven-CVE disclosure is to find the patch and move on. Here there is no patch to find for six of them, and the way in for most attackers is a card slot or an unsigned update, not a network port. The teams that come out of this well are the ones that already know which of their devices run this code and are watching those devices for the moment one stops being theirs.

Topics

Frequently asked questions

Do I need to patch FatFs myself?

In most cases you cannot, because FatFs lives inside device firmware you do not control. The fix has to come from whoever built the firmware, so your job is to identify affected devices, press vendors for updated firmware, and monitor those devices until it arrives.

Which FatFs vulnerability has a fix?

Only CVE-2026-6684, the lowest-impact bug, has an upstream fix, shipped in FatFs release R0.16. It is a denial-of-service flaw that hangs a device on a malformed partition table. The other six flaws, including the three high-severity code-execution bugs, have no coordinated upstream patch.

Can the FatFs flaws be exploited remotely?

Mostly no; the main path is physical, through a malicious USB stick or SD card inserted into a device. Two flaws, CVE-2026-6682 and CVE-2026-6683, can also trigger through some firmware update processes, so an unsigned update channel can turn them into a remote risk.

Which devices use FatFs?

FatFs ships inside firmware built on real-time operating systems, including security cameras with card slots, drones, industrial controllers, ATMs, kiosks, and hardware wallets. Widely used SDKs bundle it too, among them Espressif ESP-IDF, STM32Cube, Zephyr, and MicroPython, so the reach spans consumer and industrial gear.

How do you detect exploitation if you cannot patch?

Watch the device's behavior on the network, not the flaw itself. The memory corruption happens inside firmware with no visible logs, but a compromised camera or controller that starts scanning, beaconing, or pivoting is detectable. Treat any embedded device suddenly acting like a network foothold as an alert.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.