Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices

Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices
runZero disclosed seven vulnerabilities in FatFs that can lead to memory corruption, device crashes, data leaks, and possible code execution on embedded systems that read FAT and exFAT media. The issues affect widely used platforms such as Espressif ESP-IDF, STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and SWUpdate, while proof-of-concept exploit material is already public. #FatFs #runZero #CVE-2026-6682 #CVE-2026-6687 #CVE-2026-6688 #CVE-2026-6685 #CVE-2026-6683 #CVE-2026-6686 #CVE-2026-6684 #EspressifESPIDF #STM32Cube #Zephyr #MicroPython #ArduPilot #RTThread #Mbed #SamsungTizenRT #SWUpdate

Keypoints

  • runZero found seven vulnerabilities in FatFs, a filesystem library used by many embedded devices.
  • The flaws can be triggered by malformed USB drives, SD cards, or firmware update files.
  • The most severe issue, CVE-2026-6682, can lead to memory corruption and possible code execution.
  • Affected platforms include Espressif ESP-IDF, STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and SWUpdate.
  • runZero released proof-of-concept images and an exploit example, while upstream patching remains limited.

Read More: https://thehackernews.com/2026/07/unpatched-flaws-disclosed-in-filesystem.html