threat-wire
Unpatched Flaws Found in Filesystem Used in Millions of Devices
Security firm runZero has disclosed seven vulnerabilities in FatFs, a small filesystem library buried inside security cameras, drones, industrial controllers, and hardware crypto wallets. On the worst-affected devices, a booby-trapped USB drive or SD card can hand over full control. The lone maintainer hasn't responded, so most fixes now depend on individual device vendors.
By SecureBusinessHub Editorial, International cybersecurity desk — · 5 min read
Seven vulnerabilities disclosed in a filesystem library called FatFs put security cameras, drones, industrial controllers, and hardware crypto wallets at risk from something as ordinary as a plugged-in USB drive or SD card.
What FatFs actually does
FatFs is a small library that lets a device read and write the FAT and exFAT formats used on USB drives and SD cards. It's not a household name, but it ships inside firmware across an enormous range of hardware built on real-time operating systems.
All seven bugs work the same basic way: the device reads a storage volume or firmware image that's been deliberately malformed, and FatFs mishandles the bad data. Security firm runZero rated the set CVSS Medium to High, with no Criticals. The worst is CVE-2026-6682 (CVSS 7.6), an integer overflow in the code that mounts a FAT32 volume. Bad math there can produce a false file size, which later code treats as real, and on real hardware that can become memory corruption and code execution.
Many embedded devices lack the memory protections built into phones and laptops. As runZero put it, on the worst-affected systems, physical access is effectively a jailbreak: a public kiosk, a security camera with an SD slot, or an ATM shouldn't hand over full control after a moment with a USB port, but here it can.
Are you exposed?
- Check whether your product or firmware bundles FatFs: named affected platforms include Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and the SWUpdate updater
- Ask your camera, drone, POS terminal, or industrial-controller vendor directly whether their firmware uses FatFs and whether a fix is planned, since there's no central advisory to rely on
- Treat every USB port and SD card slot on an embedded or unattended device as an attack surface: restrict physical access and disable ports you don't use
- Don't wait on a generic "FatFs patch." There isn't one yet, so vendor-specific firmware updates are the only real fix
No maintainer, no fix
Here's the hard part. FatFs is maintained by one developer, and runZero says it tried repeatedly to reach them, looping in Japan's JPCERT/CC coordination centre, without a response. By runZero's account, there's no upstream fix for the memory-corruption bugs and no security mailing list, which leaves every product that bundles FatFs to learn about the problem on its own and patch downstream. As of runZero's July 1 disclosure, no attacks using these bugs had been reported, and none have surfaced since.
How seven-year-old code gave up new bugs
runZero first went through FatFs by hand back in 2017 and found little worth flagging. Returning in March 2026, the team pointed an AI coding assistant, plain prompts through an off-the-shelf setup, at the same code and had it build a fuzzer: a tool that feeds malformed data into a program until something breaks. That surfaced the flaws the manual review had missed years earlier and helped confirm they were exploitable. It's the same pattern showing up across the industry lately: AI-assisted tools finding real memory-safety bugs in old, widely embedded C code that ordinary review had already passed over once.
runZero expects downstream fixes to take years rather than days. Its point of comparison is PixieFail, a 2024 batch of nine bugs in network-boot firmware code that vendors were slow to patch even after disclosure. FatFs has the same shape and a weaker fix pipeline, since there's no responsive upstream maintainer to coordinate a response at all.