A dependency almost nobody can see

On 1 July 2026, security firm runZero disclosed seven vulnerabilities in FatFs, a small library that lets a device read and write the FAT and exFAT formats used on USB drives and SD cards. It is one of those pieces of code that is everywhere and visible to almost no one. It ships in the firmware of security cameras, drones, industrial controllers, hardware crypto wallets, public kiosks, ATMs and voting machines with USB ports.

Three of the flaws are rated high severity. CVE-2026-6682 is an integer overflow when mounting a FAT32 volume; CVE-2026-6687 overflows a buffer through an exFAT volume label; CVE-2026-6688 overflows the wrapper code many products add around FatFs. On real hardware, the worst of these become memory corruption and code execution. The library reaches these products through mainstream toolkits, Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT and the SWUpdate updater, which is precisely why so many vendors will not yet know they are in the blast radius.

Physical access is the point, not the excuse

Some will dismiss this as needing physical access. For the device categories affected, that is the vulnerability, not a mitigation. A security camera, a public kiosk, an ATM, a voting machine: the entire design promise is that a member of the public can touch it, or plug something into it, without compromising it. These bugs break that promise. An attacker with a crafted USB drive, SD card or update file can corrupt memory and run code.

Two of the flaws, the FAT32 overflow and an exFAT divide-by-zero, are also reachable through over-the-air firmware updates. That widens the exposure from someone standing in front of the machine to someone who can influence the update channel, and it means a failed update can brick hardware in the field. runZero has published proof-of-concept disk images, a test harness and a working QEMU-based exploit, so the material an attacker would need is already in the open.

When the fix has no owner

The uncomfortable core of this story is maintenance. FatFs is kept by one developer, and runZero says it tried repeatedly to reach that maintainer and looped in Japan's JPCERT/CC coordination centre, with no response. Only one of the seven bugs, a denial-of-service hang, is fixed upstream in release R0.16. The six memory-corruption issues have no upstream patch, no security mailing list, and no mechanism for the many products that bundle FatFs to learn they are affected.

This is what modern supply-chain risk actually looks like for physical assets. Not a headline breach, but a load-bearing component with a single point of human failure, embedded so deep that the companies shipping it cannot enumerate their own exposure. The discovery method underlines how the balance has shifted: runZero found these using an off-the-shelf AI-assisted fuzzer in March 2026, work that a manual audit years earlier had missed. The tools to find these bugs are now cheap and widely available, which means attackers have them too.

What an owner should demand

You cannot patch your way out of this from the outside, so make it a procurement and vendor-management question. For any fleet of connected or embedded devices, cameras, controllers, kiosks, wallets, ask each vendor a direct question: does your firmware use FatFs, which version, and what is your plan for the six unpatched CVEs? A vendor that cannot answer quickly is telling you something about their own visibility into their code.

Internally, treat physical ports and update channels as live attack surface. Limit who can plug media into exposed devices, and confirm that firmware updates are signed and validated before they are applied. runZero's own guidance to engineering teams, audit your vendored version, audit your wrappers, audit your filename and file-size handling, is the checklist to hand to any vendor who builds hardware for you.