Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices
runZero disclosed seven vulnerabilities in FatFs, a filesystem library used to access FAT and exFAT volumes on removable storage. The issues are tracked as CVE-2026-6682, CVE-2026-6683, CVE-2026-6684, CVE-2026-6685, CVE-2026-6686, CVE-2026-6687, and CVE-2026-6688, including integer overflows that can lead to memory corruption and possible code execution when a device mounts attacker-controlled or malformed storage/update images. This matters because FatFs is bundled into many embedded platforms and firmware (e.g., Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and the SWUpdate updater), expanding potential impact across consumer IoT, industrial systems, drones, and crypto wallets.