Seven flaws in a tiny bit of code could shake millions of gadgets

runZero found bugs in FatFs, the filesystem library hiding inside cameras, drones and hardware crypto wallets. Patches are already trickling out, but the fix will take years.

ThreatVectr Newsdesk· 3 min read
Full-frame close-up, 16:9, of a small circuit board with a USB stick partially inserted, warm amber and cool blue lighting, shallow depth of field, faint solder
Share

Key points

  • Security firm runZero disclosed seven vulnerabilities in FatFs, a tiny piece of software used to read USB drives and SD cards inside millions of embedded devices.
  • FatFs ships inside security cameras, drones, industrial controllers and hardware crypto wallets built on popular chip platforms.
  • The flaws can be triggered by plugging in a booby-trapped USB stick or memory card, giving an attacker a foothold on the device.
  • Because FatFs is copied into each vendor's firmware, there is no central update — every device maker has to ship its own patch.

Here is a problem that is going to age badly.

Security firm runZero has disclosed seven bugs in something called FatFs. Most people have never heard of it. Almost everyone owns a device that runs it.

FatFs is a small piece of software — a library — that lets a gadget read and write files on a USB stick or SD card in the same format Windows uses. It is free, it is tiny, and for the last two decades chip makers and device engineers have quietly dropped it into their products because it just works.

That is the problem. It is everywhere, and nobody keeps a central list of where.

Which devices are affected?

Any device that reads a USB drive or memory card and was built on top of FatFs. That includes security cameras, consumer drones, factory-floor industrial controllers, and hardware crypto wallets — the little USB gadgets people use to store Bitcoin offline. It also includes plenty of medical, automotive and smart-home firmware nobody thinks about.

runZero's writeup, first reported by The Hacker News, describes seven separate flaws in how FatFs handles the layout of a FAT or exFAT disk. In plain English: if an attacker crafts a malicious USB stick or SD card and gets it plugged into a vulnerable device, the code that reads the card can be tricked into corrupting the device's own memory.

From there, a skilled attacker can potentially run their own code on the device. That is the worst-case outcome for something like a hardware wallet holding someone's savings, or a camera watching a hospital corridor.

How does an attack actually happen?

Someone has to get the poisoned storage into the device. That sounds like a big ask. In practice it is not.

A dropped USB stick in a car park is a classic trick. A shared SD card between drone hobbyists. A repair technician swapping a memory module. An attacker with five minutes of physical access to a kiosk or an industrial panel. The failure mode here is that these devices were never designed to distrust the storage plugged into them.

And unlike a phone or a laptop, most of them will never phone home for an update.

Why the fix will take years

FatFs is what engineers call a source library. Every vendor takes a copy, bakes it into their firmware, and ships it. There is no auto-update. There is no single patch that covers everyone.

The FatFs maintainer has already published fixes. Now hundreds of device manufacturers have to notice, rebuild their firmware, test it, and push it out to customers — assuming they still support the product at all. Many will not. One thing the post-mortem will say, in a year or two, is that some of these devices were end-of-life before the advisory landed.

Ordinary people cannot patch this themselves. But there is a sensible habit worth adopting: do not plug USB sticks or SD cards of unknown origin into anything you care about, especially a hardware wallet or a work device. Treat found storage the way you would treat a found syringe.

Operational takeaway: if your asset inventory does not tell you which of your devices embed FatFs, you do not have an asset inventory.

© 2026 Threat Vectr