FatFs Vulnerabilities:
Is Your Firmware Exposed?

In July 2026, researchers disclosed seven new CVEs in FatFs by ChaN, the filesystem driver running in a huge share of the world's embedded and IoT devices.

If your product reads SD cards, mounts USB drives, or uses removable media, there's a strong chance FatFs is in your image.

We find out what's in your firmware, whether these CVEs are actually reachable in your product, and what it takes to fix them.

The Seven CVEs

Three High-severity memory-corruption bugs and four Medium issues. Reachability is what determines your risk.

CVE-2026-6682High · 7.6

Integer overflow in mount_volume() during FAT32 mount

Attacker-controlled file-size metadata; potential heap/stack overflow and code execution.

CVE-2026-6687High · 7.6

Uncapped exFAT label-length field in f_getlabel()

Oversized writes into caller stack buffers — a clean memory-corruption primitive.

CVE-2026-6688High · 7.6

Oversized LFN fno.fname values (long filenames enabled)

Overflows fixed-size buffers in downstream callers using strcpy/sprintf. A full fix requires wrapper-level changes.

CVE-2026-6685Medium · 6.1

Unsigned-subtraction wraparound in dirty-cache handling on fragmented volumes

Stale cache behavior and out-of-bounds effects; risk of silent data corruption.

CVE-2026-6683Medium · 4.6

Divide-by-zero in exFAT sync/write paths via crafted media

A reliable crash — particularly concerning during OTA update processes, where it can brick an update in the field.

CVE-2026-6686Medium · 4.6

Seek beyond EOF exposes uninitialized cluster data

Leaks stale content from deleted files in shared-media or multi-stage boot environments.

CVE-2026-6684Medium · 4.6

Missing GPT entry-count validation (pre-R0.16)

Unbounded partition-scan loops; mount-time denial of service. Is your library earlier than R0.16?

How We Help

A focused review that tells you where you actually stand, and the remediation to close whatever it finds.

1

FatFs Exposure Review

$2,000fixed fee per firmware

A scoped assessment of one firmware project, answering the questions your team can't answer from memory:

  • Is FatFs in your firmware, and which version? On most MCU projects the version was never recorded. Finding it is the hard part — and the foundation for everything else.
  • How far has it diverged from upstream? We identify what was locally changed so patches can be validated against your actual code, not a clean tree.
  • Which of the seven CVEs are reachable in your product? A bug in a code path you don't compile in is noise. The triage is the value.
  • Can you even ship a fix? Do you have a reproducible build, a bootloader that supports update, and signed-image capability? A vulnerability you can't rebuild to patch is the real exposure.

You get a written report: the finding, the reachable-vs-noise triage, a prioritized remediation list, and a short summary a non-specialist manager or a customer's security reviewer can act on.

No FatFs in your firmware? We don't charge you the full fee. If we find no FatFs in the firmware you send, you pay just $399 — and get a documented finding to that effect for your CRA file.

2

Remediation

A la carte

The fixes themselves, at our standard consulting rate:

  • Patching or back-porting the upstream fixes into your vendored, modified FatFs, validated against your target
  • Wrapper-level hardening for the LFN and label-length issues upstream can't fully fix (CVE-2026-6688, CVE-2026-6687)
  • Input validation on key FatFs operation paths
  • Build resurrection where the firmware can no longer be rebuilt to patch it (handed off to our MCU Rescue practice)
  • Updated SBOM and documentation of what was fixed, when, and in which release

Request a FatFs Review with Just an Email

Leave your email and we'll reach out, that's all we need to start. If you already know your platform or what's prompting this, add a line and we'll come back with something specific.

  • No obligation and no sales script — a real engineer reads every one.
  • We typically respond within one business day.
  • Prefer email? Reach us directly at contact@clisystems.com.

Start Here

Why CLI Systems

Real firmware expertise since 2012 — not a scanner running a checklist.

Deep MCU Firmware Experience

Hands-on embedded firmware work since 2012. We read code, follow the actual data path, and understand what a filesystem driver is doing on a constrained target — not just what a scanner flags.

We Work In Legacy Code Others Won't

Vendored, locally modified, poorly documented FatFs copies are the norm. That's exactly the kind of code we specialize in — the work nobody left on your team can do.

Reachability, Not Noise

We tell you what's actually reachable in your product, so you fix what matters and ignore the rest. The triage is the value.

We Carry It All The Way Through

From "is this in our image?" to a shippable, patched build. If the firmware can no longer be rebuilt, our MCU Rescue practice resurrects the build first.

US-Based & Compliance-Aware

US-based and familiar with medical and industrial compliance contexts, so findings land in terms your regulatory and customer reviewers can act on.

Engineering-Led, Honestly Scoped

This is engineering-led identification of security exposure and risk, not a legal determination of compliance obligations. Where a finding turns into a regulatory or contractual question, we flag it and recommend confirming with appropriate counsel.