HackMyIP
← Back to News
2026-07-03 The Hacker News

Unpatched FatFs Flaws Expose Millions of IoT Devices to Code Execution

VulnerabilitySupply Chain

Security research firm runZero has disclosed seven previously unpatched vulnerabilities in FatFs, a lightweight FAT/exFAT filesystem library embedded in the firmware of millions of IoT and embedded devices, including security cameras, drones, industrial controllers, hardware crypto wallets, ATMs, voting machines, and public kiosks. The flaws, assigned CVEs in the 2026-668x range, can be triggered by inserting a maliciously crafted USB drive, SD card, or firmware update image, and on devices lacking modern memory protections they can lead directly to memory corruption and arbitrary code execution. runZero summarized the risk bluntly: any physical access leads to a jailbreak.

The most severe issues are three High-rated CVSS 7.6 bugs. CVE-2026-6682 is an integer overflow in the FAT32 mount routine that produces a falsified file size, which downstream code treats as a real read length, opening a path to code execution through some firmware-update flows, not just physical media. CVE-2026-6687 is an exFAT volume-label overflow into a small buffer, giving attackers a clean memory-corruption primitive, and CVE-2026-6688 involves long filenames overflowing the wrapper code that many projects place around FatFs, such as strcpy into a fixed buffer, a bug that cannot be fixed inside FatFs alone. The remaining four CVEs include a medium-severity math wrap in cache handling (CVE-2026-6685, 6.1) that can silently corrupt data on fragmented volumes, an exFAT divide-by-zero crash (CVE-2026-6683, 4.6) capable of bricking devices during updates, an information leak exposing residue from previously deleted files (CVE-2026-6686, 4.6), and a malformed GPT partition-table hang on mount (CVE-2026-6684, 4.6) — the only bug of the seven that has been fixed upstream, in FatFs R0.16.

The deeper problem is governance. FatFs is maintained primarily by a single developer in a small corner of the internet, and runZero reports that repeated attempts to contact the maintainer, including coordination through Japan's JPCERT/CC, went unanswered. There is no upstream fix for the memory-corruption class of bugs, no security mailing list, and no straightforward channel to notify the many OEMs and firmware projects that bundle the library, a classic supply-chain blind spot that leaves product vendors and end users largely in the dark. For organizations operating affected hardware, the immediate step is to inventory exposed endpoints and restrict physical access to USB and SD interfaces; network reconnaissance tools such as our port scanner can help identify which IoT assets are reachable and whether management interfaces are exposed to the network.

Until the maintainer releases a coordinated patch, runZero recommends that vendors treat any untrusted storage media as hostile, disable autorun on removable media where feasible, and monitor for firmware-image integrity checks. End users and integrators should pressure vendors for a public advisory and check device vendor security bulletins for updates referencing FatFs R0.16 or later, which incorporates the one upstream fix available today. The disclosure is a reminder that a single unmaintained library can quietly become a systemic risk across the entire embedded-device ecosystem.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

Port Scanner →DNS Leak Test →Privacy Checkup →

Related Guides

Learn the background behind this story:

Signs your router is hacked →Wi-Fi security checklist →How to find your router's IP →