Skip to main content
LiMP VPN
All news

FatFs: 7 Bugs Threaten ATMs, Drones and Crypto Wallets

FatFs: 7 Bugs Threaten ATMs, Drones and Crypto Wallets

In short: In early July 2026, researchers at runZero disclosed seven vulnerabilities in FatFs, a tiny filesystem library built into millions of embedded devices — from cameras and drones to ATMs and hardware crypto wallets. A booby-trapped USB stick, SD card or malicious firmware update can trigger memory corruption and, on weakly protected hardware, code execution. Most affected devices will never get a patch, so the practical defense is to never connect untrusted media and to install firmware only from official sources.

What happened

In early July 2026, the security firm runZero published details of seven flaws (CVE-2026-6682 through CVE-2026-6688) in FatFs — a small, widely used library that lets devices read and write FAT, exFAT and GPT storage such as USB drives, SD cards and update images. The bugs range from medium to high severity. The headline issue, CVE-2026-6682, is an integer overflow in FAT32 mount handling: a malformed volume makes the code miscalculate a size or read length, corrupting memory. On hardware without modern protections, that can be turned into code execution.

Because FatFs is embedded so deeply into everyday hardware, the blast radius is large. We regularly explain why device-level security matters as much as network privacy on our blog, and this case is a textbook example.

Which devices are affected?

FatFs ships inside firmware for security cameras, drones, industrial controllers, ATMs, hardware crypto wallets and other gadgets with removable media. Affected ecosystems include Espressif ESP-IDF, STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, TizenRT and the SWUpdate updater. In other words, this is not one product but a component reused across thousands of designs — which is exactly what makes supply-chain bugs like this so hard to stamp out. The same device-side risk logic appeared in our report on a botnet built from hijacked home devices.

How would an attack work?

The attacker prepares a specially crafted storage device or firmware update image. When the target reads it — often the moment you plug in the card or apply the update — the malformed data triggers the flaw. On a device without address-space randomization and memory protection, a brief moment of physical access to an SD slot or USB port can be enough to compromise the system.

One detail raises the stakes: CVE-2026-6682 may be reachable through some firmware update paths, not just removable media. That means a poisoned update, not only a physical card, could be an entry point on certain devices.

Why won't this just get patched?

Here is the hard part. According to runZero, the FatFs maintainer did not respond even after repeated contact and coordination through Japan's JPCERT/CC. Only one bug, CVE-2026-6684 (a GPT mount hang), is fixed upstream in FatFs R0.16. Even where a fix exists, every device vendor must pull it in and ship a firmware update — and cameras, wallets and controllers rarely get long-term updates. Many will stay vulnerable for their entire service life.

There is also a notable twist in how the bugs were found: runZero pointed an off-the-shelf setup — Visual Studio Code with GitHub Copilot in "auto" mode and a few plain prompts — at the code, and the AI built a fuzzer that surfaced flaws a manual audit had missed. AI is accelerating vulnerability discovery, which cuts both ways for defenders and attackers.

What it means for your data

For most people the risk is not a remote hack over the internet but physical or supply-chain exposure: an unknown USB stick, a "found" SD card, or firmware from an unofficial source. A compromised camera, router or wallet can leak footage, keys or traffic. The lesson mirrors other recent incidents — the weak point is increasingly the device in your hand or on your shelf, not just the cloud service behind it.

How to protect yourself

Never connect untrusted media. Do not plug unknown USB drives or SD cards into cameras, controllers or wallets. This closes the most direct path to these bugs.

Update firmware only from official sources. Apply updates from the vendor's own app or site, and check for security releases for your devices. If a device is abandoned by its maker, treat it as permanently at risk.

Isolate smart devices on your network. Keep IoT gadgets on a separate Wi-Fi network or guest VLAN so a compromised device cannot reach your phone or PC.

Protect the network layer. To be clear: a VPN cannot patch firmware in a camera or wallet — that is a different layer of defense. But a VPN like LiMP VPN encrypts your traffic on untrusted networks and hides your real IP, reducing tracking and exposure when your devices talk to the internet. See how it works on our features page.

Sources

This report is based on coverage by The Hacker News, the runZero research blog and Russian-language SecurityLab from July 2026.

FatFs: 7 Bugs Threaten ATMs, Drones and Crypto Wallets | LiMP VPN