**Critical Vulnerabilities Found in FatFs Storage Library**
A recent security review by runZero has uncovered seven serious vulnerabilities in FatFs, a widely used file system library for reading and writing FAT and exFAT storage media. Because FatFs is embedded in countless devices—from security cameras and drones to industrial controllers and crypto wallets—these flaws pose a significant risk to a broad range of connected equipment.
What makes these vulnerabilities especially dangerous is how easily they can be exploited. According to the report, any physical access to a vulnerable device—such as a public kiosk, ATM, camera with an SD card slot, or voting machine—could allow an attacker to insert a maliciously crafted USB drive, SD card, or firmware update. This would enable memory corruption and potentially allow the execution of arbitrary code. In many embedded systems, lack of memory protections means that “any physical access leads to a jailbreak.”
All seven vulnerabilities rely on FatFs improperly handling malformed data. The worst of these is CVE-2026-6682, assigned a CVSS score of 7.6 (High). It involves an integer overflow in the FAT32 mounting code, where incorrect calculations of file size can lead to memory corruption and code execution. Other high-severity flaws include buffer overflows in exFAT volume labels and long filename handling, data corruption in fragmented volumes, divide-by-zero errors capable of bricking devices, information leaks, and system hangs due to malformed partition tables.
Perhaps most concerning is that FatFs is maintained by a single developer with no formal security contact or mailing list, leaving manufacturers who embed the library without a clear path to timely patches. While some issues—like the GPT partition table hang—have been fixed in the latest upstream release, most require manual intervention by device vendors. RunZero has already shared proof-of-concept exploits and test materials, meaning the risk is immediate and real.
If your organization builds or maintains devices that use FAT or exFAT file systems, now is the time to audit your use of FatFs, review wrapper code, and identify unsafe handling of filenames and file sizes. For operators of affected devices, treat any physical interfaces and firmware update channels as attack surfaces, restrict access, and monitor for vendor updates.
This discovery echoes a broader trend in which modern AI-assisted development tools can quickly expose deep vulnerabilities in embedded C libraries—sometimes faster than maintainers can respond. Without rapid action, these long-lived flaws may persist in shipped devices for years.
*Original article content sourced from runZero disclosure as published on [The Register](https://www.theregister.com/2026/08/26/fatfs_vulnerabilities/) (via compressed inline references).*



