Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices
Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices — [https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJGo3ti2B3O-v3
What’s new: Security firm runZero has disclosed seven vulnerabilities in FatFs, a widely used filesystem library in embedded devices. The vulnerabilities allow attackers to exploit devices through malformed USB drives, SD cards, or firmware updates, leading to potential memory corruption and code execution. The most critical vulnerability is CVE-2026-6682 (CVSS 7.6), an integer overflow in FAT32 mounting. Other vulnerabilities range from CVSS 4.6 to 7.6 and affect various platforms, including Espressif ESP-IDF and STMicroelectronics STM32Cube. As of July 1, 2026, no attacks exploiting these vulnerabilities have been reported.
Who’s affected
Devices that utilize FatFs, including security cameras, drones, industrial controllers, and hardware crypto wallets, are at risk. The vulnerabilities impact multiple platforms that bundle FatFs, such as Zephyr, MicroPython, and Samsung TizenRT.
What to do
- Audit the implementation of FatFs in your products and review the wrapper code for handling filenames and file sizes.
- Limit physical access to ports and update channels on affected devices to mitigate potential exploitation.
- Monitor for vendor firmware updates and apply patches as they become available.



