runZero disclosed seven vulnerabilities in the widely reused FatFs filesystem library, a FAT/exFAT implementation embedded in firmware for devices such as cameras, drones, industrial controllers, crypto wallets, and RTOS-based products. The flaws affect FAT, exFAT, and GPT parsing and can be triggered by crafted USB drives, SD cards, partition tables, or mounted firmware/update images, leading to memory corruption, denial of service, information disclosure, silent data corruption, and possible code execution. The most serious issues include CVE-2026-6682, an integer overflow in mount_volume() that can corrupt file-size metadata and enable downstream exploitation, and CVE-2026-6687, a stack overflow in f_getlabel() tied to exFAT label handling.
The disclosure warned that the blast radius is large because FatFs is vendored into ecosystems including ESP-IDF, STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, TizenRT, and SWUpdate, with exploitation often requiring physical access but also potentially reaching devices through OTA workflows that automatically mount malicious images. runZero said all released versions are affected, only CVE-2026-6684 is fixed upstream in FatFs R0.16, and no coordinated maintainer response was received despite outreach through JPCERT/CC. Researchers published proof-of-concept disk images, a test harness, and a QEMU-based exploit example, while warning that downstream vendors will need to identify and patch their own bundled copies and that remediation may take years for many products.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
One of the seven disclosed issues, CVE-2026-6684, was already fixed upstream in FatFs R0.16. The references do not provide a specific release date for that upstream fix.
Before public disclosure, runZero said it tried to contact the FatFs maintainer and involved JPCERT/CC regarding the vulnerabilities. According to the references, the maintainer did not respond.
As part of the July 1 disclosure, runZero published proof-of-concept disk images, a test harness, and a QEMU-based exploit example to help demonstrate and assess the FatFs flaws. The company also said it released tooling to help downstream implementers identify and patch vendored copies.
On July 1, 2026, runZero disclosed seven vulnerabilities in the widely reused FatFs filesystem project affecting FAT, exFAT, and GPT parsing in embedded firmware ecosystems. The issues include memory corruption, denial of service, integer overflow, information disclosure, and logic flaws, with CVE-2026-6682 highlighted as the most severe.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
securityaffairs.com
Open sourcecysecurity.news
Open sourcecybersecuritynews.com
Open sourcethehackernews.com
Open sourcenews.risky.biz
Open sourcerunzero.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.