Seven FatFs bugs, one very large blast radius

|
Updated

Heads up! If you ship firmware that touches FAT media (think any removable storage, like USB drives and SDCards), you'll want to pay attention to this post. This work was part of runZero's research into long-tail supply chain bug hunting using LLMs. We live in the future!

Today, we're publishing seven CVEs documenting several vulnerabilities in FatFs project, ranging from CVSS Medium to High (no Criticals, phew!). The affected ecosystem includes some major non-hobby platforms like Espressif ESP-IDF, STMicroelectronics STM32Cube middleware, Zephyr RTOS, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and SWUpdate, with downstream reach into consumer IoT, industrial controllers, drones, crypto wallets, and more.

This project is a return to a security assessment started back in 2017, when a manual audit and multi-day fuzzing effort identified some basic, but not compelling, bugs in the FatFs driver. Nine years later, in March of 2026, we revisited this project using Visual Studio Code, GitHub Copilot in "auto" mode, and some basic prompts, all without any specific loops, harnesses, or skills. The results were surprising. Bugs that were overlooked during the manual audit became trivial to find by using the LLM to automatically build a fuzzer with novel inputs. Not only did this effort find interesting and reportable bugs, it also automated the process of validating that these bugs are actually exploitable across different embedded scenarios.

So, why do FatFs bugs matter? For the vendors who build on these platforms it's simple: any physical access leads to a jailbreak, especially given the lack of address space layout randomization (ASLR) and memory protection. For everyone else, there are numerous devices where brief physical access by the general public should not lead to a full compromise. For example, security cameras with SDCard storage, voting machines with USB file readers, ATMs, and pretty much anything else that has a screen that you expect people to touch.

However, the attacker value is straightforward: these issues are triggerable by crafted FAT/exFAT/GPT images, often through removable media or update channels that get mounted automatically. Note that CVE-2026-6682 and 6683 are both implicated in some OTA update processes for firmware.

This post is intentionally light on exploit internals. For technical details, PoC images, harnesses, and code-level analysis, see runZero's companion research repository:

The findings, ordered by criticality #

The seven findings documented here are listed roughly in order of subjective attacker value.

FAT32 integer overflow in mount_volume() #

(CVSS 7.6, High) – This is the headline issue: CVE-206-6682 describes integer overflow in core mount arithmetic can produce attacker-controlled file-size metadata that downstream code may trust as a read length. In real systems, that can become a heap/stack overflow and code execution. In terms of practical attacker value plus transitive impact, this is at the top of the stack.

exFAT label-length stack overflow in f_getlabel() #

(CVSS 7.6, High) CVE-2026-6687 describes a condition where the exFAT label length field is not adequately capped, enabling oversized writes into caller-provided label buffers. This is especially painful where canonical examples and generated code use small stack buffers. It is a clean memory-corruption primitive in a path many firmware projects expose, at least where exFAT has been enabled.

Long filename overflow in downstream callers #

(CVSS 7.6, High) – With LFN enabled, fno.fname can be much larger than many caller buffers expect, as described by CVE-2026-6688. The bug class appears repeatedly in integrations (strcpy, sprintf, fixed-size name/path fields). This one is tricky to fix entirely in FatFs directly (since exploitation depends on wrappers copying long filenames into undersized local buffers), but it could be mitigated by FatFs changes that make filename lengths and truncation/validation outcomes more explicit to callers.

Unsigned-subtraction wrap in dirty-cache handling  #

(CVSS 6.1, Medium) – CVE-2026-6685 describes a condition where on fragmented volumes, arithmetic wrap can drive stale dirty-cache behavior and out-of-bounds memory effects in read/write paths. This can manifest as silent corruption, which is exactly the kind of bug operators hate most: hard to detect, easy to misdiagnose, and dangerous in control/data-logging workloads.

exFAT divide-by-zero in sync/write paths #

(CVSS 4.6, Medium)CVE-2026-6683 documents a divide-by-zero condition in exFAT sync/write flows that can be triggered by crafted media and produce reliable crash behavior. In update contexts, this can become a practical bricking vector. While generally more "DoS than RCE," it still offers meaningful attacker value against availability, especially given the OTA implications.

Uninitialized cluster exposure after seek beyond EOF #

(CVSS 4.6, Medium)CVE-2026-6686 describes an uninitialized-cluster exposure path where extending files beyond EOF can leak stale data from previously deleted content. It is an information-disclosure bug with real consequences in multi-stage boot/update and shared-media environments.

GPT partition-scan loop DoS (pre-R0.16) #

(CVSS 4.6, Medium)CVE-2026-6684 covers a GPT entry-count abuse case that can trigger effectively unbounded scanning in older trees. That creates a severe mount-time DoS in affected pre-R0.16 implementations, especially painful in boot paths, but it is ranked last here because upstream R0.16 added protective GPT validation. Now, it's up to implementers to upgrade.

XKCD "Dependency" strikes again #

If you have seen XKCD 2347 ("Dependency"), you already know where this is going: one component, maintained in one tiny corner of the internet, quietly supports an absurd amount of modern cyber-stuff.

FatFs is one of those components. It's compact, useful, and copied everywhere. That's great for shipping products quickly, but less great when memory-safety issues show up in parser-adjacent code that happily ingests untrusted media. This kind of component is even more challenging to deal with, from a disclosure-and-fix perspective, in that nearly everyone ends up making local, vendored modifications. So, an upstream patch must be validated pretty carefully before incorporating.

We made repeated attempts to contact the maintainer, and we involved JPCERT/CC early on as well. We did not receive a response. So, this publication is aimed at the people who can still do something useful right now: downstream implementors. Audit your vendored version, audit your wrappers, audit your file-name and file-size handling, and plan for patch updates.

Also, keeping this class of issue quiet in 2026 would be almost entirely security theater, now that we've entered the age of the apex agentic adversary. If we can find this kind of thing with some thoughtful application of AI-assisted vuln-hunting, then so can pretty much anyone else. Sure, this took a little HD Moore-branded stubbornness, but even so, we don’t believe these are going to stay undiscovered for very long. It’s too good a target space, and the next researcher probably won’t bother with creating validation and reproduction harnesses.

When it comes to vulnerability disclosure, I've always believed that I'm merely the most recent person to learn about the issue, and that's more true now than ever in this hyper-automated code auditing world. Better to disclose, coordinate where possible, and in the end, publish in order to give defenders the head's up.

PS. Looking for exploits? You can find a test harness, a full qemu-based exploit example, and corrupt FatFs images in the repository.

Written by todb

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government, and a seasonal Travis County Election Judge in Texas. He's also a founder and CNA point of contact for AHA!. Tod spends much of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern ICS/OT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as the US Government, Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member, has authored several research papers, and is an internationally-tolerated horror fiction expert.

More about todb

Written by HD Moore

HD Moore is the founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

More about HD Moore
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Explore more runZero

Product
Announcing runZero 5.0: Exposure management built to outpace AI-driven attacks
When you're up against AI, every minute counts. Get deep, actionable intelligence across your entire attack surface to close the gaps and hold the...
Product Videos
runZero 5.0: Platform Demo
With the new 5.0 release, runZero is giving defenders the edge they need to succeed in the AI-attack era.
runZero Perspective
BOD 26-04: A new era of prioritized remediation
A complete breakdown of CISA's BOD 26-04 directive. Learn how the shift to SSVC, risk-based KEV prioritization, and 3-day remediation impacts your...
runZero Perspective
Dawn of the apex agentic adversary
When agentic AI can weaponize exploits in seconds, visibility is everything. Stop the predator with runZero’s exposure management for the AI-attack...
Webcasts
Defending in the shadow era: when the CVE feed goes dark
HD Moore walks through the three eras of vulnerability management: the predictable cycles era, the triage ara of AI-scale discovery, and now the...
Webcasts
runZero Hour, Ep. 31: The New Rules of Risk: EPSS v5 and Agentic Adversaries
In this episode, learn how your security team can use EPSS v5 to inform daily risk decisions in a world increasingly targeted by the apex agentic...
Webcasts
Beyond the Zero-Day: Mapping the network attackers actually see
Breaches are inevitable. Learn from HD Moore how attackers exploit the seams between IT, IoT, and OT networks — and how to fix the segmentation...
Podcasts
Risky Biz Interview: Navigating the AI vibe shift with HD Moore
runZero Founder and CEO HD Moore drops by in this week's Risky Biz sponsor interview to talk about the concerning AI vibe shift and what to do...

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.