CVE: CVE-2026-38192 through CVE-2026-38198 (7 total) | Vendor/Product: FatFs — Generic FAT/exFAT Filesystem Module (ChaN)
What Is the Vulnerability
Seven new CVEs have been disclosed in FatFs, the ubiquitous open-source FAT/exFAT filesystem driver authored by ChaN. FatFs is the de facto standard filesystem module for embedded systems, deployed in virtually every category of microcontroller-based device: SD card readers, USB mass storage, industrial controllers, consumer electronics, automotive infotainment, medical devices, and IoT endpoints. The vulnerabilities allow attackers to craft malicious filesystem images that, when mounted or read by a vulnerable FatFs implementation, trigger denial-of-service conditions and — in several cases — enable remote code execution through buffer overflows and out-of-bounds writes.
The affected code paths lie in FAT table parsing, directory entry processing, long filename (LFN) handling, and cluster chain traversal. Because FatFs is integrated as source code directly into device firmware (rather than as a dynamically linked library), patching requires firmware updates from each device manufacturer — a process that rarely occurs in the embedded ecosystem.
Versions Affected
FatFs revisions prior to the latest patch release (R0.15a). Affected devices span any embedded system integrating an unpatched FatFs module, including but not limited to SD card interfaces, USB host stacks, SPI flash filesystems, and RAM disks using FatFs.
Exploited in the Wild?
No confirmed active exploitation has been reported as of July 4, 2026. However, the attack surface is massive: any device that accepts external storage (SD cards, USB drives) and runs FatFs is potentially vulnerable. Given the lack of update mechanisms on most embedded devices, the window of exposure is effectively indefinite for deployed hardware.
Fix
Update FatFs to the patched release where possible. For devices purchased from third-party manufacturers, contact the vendor for firmware updates. For integrators including FatFs in custom firmware, recompile with the updated FatFs source. For end users of deployed products, exercise caution: do not accept external storage media on critical or air-gapped systems unless the source is trusted. Consider physical write-protect tabs on SD cards where feasible.
Recommendations
- Audit Embedded Device Inventory: Identify all devices in your environment that integrate FatFs — this includes virtually any embedded system with SD card or USB mass storage support.
- Contact Manufacturers: For purchased devices, request firmware updates addressing the FatFs CVEs. Document vendor responses and update timelines.
- Restrict External Storage: On critical systems (industrial controllers, medical devices, secure facilities), disable or physically block external storage ports where possible.
- Recompile with Patched FatFs: For custom firmware integrating FatFs as source, update to R0.15a or later and re-flash all deployed units.
- Filesystem Validation: Implement pre-mount validation of incoming filesystem images to detect malformed FAT structures before they reach the FatFs parser.
- Network Segmentation: Ensure embedded devices with filesystem interfaces are isolated from sensitive network segments to limit the blast radius of potential exploitation.
References
- CybersecurityNews — July 2026 disclosure coverage
- ChaN FatFs Official Repository: http://elm-chan.org/fsw/ff/00index_e.html
Part of the Vulnerability Intelligence series. See the July 4, 2026 VIR.
