FatFs: LLM-Assisted Fuzzing Finds 7 CVEs in Embedded Firmware

AI relevance: Researchers used LLM-assisted fuzzing to discover 7 CVEs in FatFs, a compact C library for FAT/exFAT media parsing, demonstrating how AI can automate vulnerability research in long-tail embedded firmware supply chains.

What Happened

  • runZero researchers Tod Beardsley and HD Moore disclosed 7 CVEs in FatFs, a compact C library that handles FAT, exFAT, and GPT media parsing in embedded systems
  • The affected ecosystem includes major platforms: Espressif ESP-IDF, STMicroelectronics STM32Cube middleware, Zephyr RTOS, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and SWUpdate
  • Downstream reach extends into consumer IoT devices, industrial controllers, drones, ATMs, security cameras, voting machines, and cryptocurrency wallets
  • CVE scores range from 4.6 to 7.6 (Medium to High); no Criticals, but several are directly exploitable for code execution
  • The headline vulnerability, CVE-2026-6682 (CVSS 7.6), is an integer overflow in core FAT32 mount arithmetic that can produce attacker-controlled file-size metadata, leading to heap/stack overflow and potential code execution
  • CVE-2026-6687 (CVSS 7.6) involves a stack overflow triggered by inadequately capped exFAT label-length fields; CVE-2026-6688 (CVSS 7.6) documents long-filename overflows in downstream callers
  • Researchers used Visual Studio Code with GitHub Copilot in "auto" mode and basic prompts — no specific loops, harnesses, or skills — to automatically build a fuzzer with novel inputs
  • This was a return to a security assessment started in 2017; bugs that were overlooked during the manual audit became trivial to find using the LLM to automate fuzzing and validate exploitability across different embedded scenarios

Why It Matters

This research demonstrates a practical application of LLM-assisted security research in long-tail supply chains. FatFs is a classic "XKCD Dependency" — one component maintained in a tiny corner of the internet that quietly supports an absurd amount of modern cyber-physical infrastructure. The library is compact, useful, and copied everywhere, with nearly everyone making local, vendored modifications.

The disclosure and patch chain for such components is fundamentally broken. FatFs doesn't appear to have been implicated in any CVE-identified vulnerabilities before this disclosure. Researchers made repeated attempts to contact the FatFs maintainer and involved JPCERT/CC in the coordination effort — they received no response. Device implementors, the teams closest to deployed devices, appear to be the only parties positioned to act.

For AI security teams, this shows that LLMs can automate the tedious work of building fuzzers and validating exploitability, making it economically feasible to audit components that would otherwise never receive a proper security review. However, the patching challenge remains: each platform maintainer must independently validate and integrate a fix, and then device manufacturers must push it to deployed hardware. In many real-world environments, that chain never completes.

What to Do

  • Audit vendored FatFs: Check your embedded systems against the current research findings; the affected CVEs are documented in runZero's companion repository
  • Review wrappers and calling code: Audit file-name and file-size handling assumptions in your integration; many vulnerabilities exploit caller buffers that assume shorter filenames
  • Plan for patch integration: Monitor platform maintainers for FatFs updates; be prepared to integrate fixes independently if upstream is unresponsive
  • Physical access controls: The highest-severity vulnerabilities are triggerable by crafted FAT/exFAT/GPT images through removable media (USB drives, SD cards); restrict physical access to devices with removable storage interfaces
  • OTA update scrutiny: CVE-2026-6682 and CVE-2026-6683 are implicated in some OTA update processes; review firmware update mechanisms for FatFs dependencies
  • LLM-assisted auditing: Consider using LLM-assisted fuzzing for long-tail supply chain components that have never received a proper security review

Sources