Security experts at runZero have recently identified seven new vulnerabilities within FatFs, a widely used lightweight FAT/exFAT filesystem driver prevalent in embedded and IoT systems.
Impact and Reach of the Vulnerabilities
Although these vulnerabilities range from medium to high severity based on the CVSS scale, their potential impact is broad. FatFs is integral to platforms such as Espressif ESP-IDF, STMicroelectronics STM32Cube, and Zephyr RTOS, among others. These platforms are crucial in consumer IoT products, industrial controllers, drones, and even cryptocurrency wallets, thus making the ramifications extensive.
The vulnerabilities were uncovered as runZero revisited the FatFs code using an AI-assisted approach. This method, employed in March 2026, utilized Visual Studio Code and GitHub Copilot without the aid of custom tools, marking a significant advancement in using AI for supply chain vulnerability research.
Details on Specific Vulnerabilities
Among the identified vulnerabilities, CVE-2026-6682 presents a high-risk scenario where an integer overflow during FAT32 mount operations could lead to potential code execution. Similarly, CVE-2026-6687 allows oversized writes into stack buffers, posing a memory corruption risk.
Other vulnerabilities include issues such as buffer overflows with long filenames (CVE-2026-6688) and cache handling errors leading to data corruption (CVE-2026-6685). These issues highlight the critical need for thorough audits and updates in the affected systems.
Challenges and Recommendations for Implementers
The flaws can be exploited through crafted FAT, exFAT, or GPT images, often via removable media or automatic update mechanisms. Devices lacking advanced security measures like ASLR or memory protection are particularly vulnerable.
Efforts to communicate these findings to the FatFs maintainer have been unsuccessful. Consequently, downstream implementers are advised to rigorously audit their adapted versions of FatFs, focusing on filename and file-size handling. Preparations for timely patches are essential to mitigate these risks effectively.
Overall, while upstream patches exist, the onus is on downstream developers to ensure their systems are updated and secure against these vulnerabilities.
