STMicroelectronics, Zephyr Project, Espressif, ArduPilot and RT-Thread: Seven Bugs in FatFs Put IoT and Embedded Devices at Risk

STMicroelectronics, Zephyr Project, Espressif, ArduPilot and RT-Thread: Seven Bugs in FatFs Put IoT and Embedded Devices at Risk

Seven Critical Vulnerabilities in FatFs Expose IoT and Embedded Devices to Attacks

Cybersecurity firm runZero disclosed seven vulnerabilities in FatFs, a widely used open-source filesystem library for embedded and IoT devices, on July 6, 2026. The flaws, ranging from CVSS 4.6 (Medium) to 7.6 (High), can lead to memory corruption, crashes, data leaks, or remote code execution when devices process maliciously crafted storage media (e.g., USB drives, SD cards).

Discovery and Impact

The vulnerabilities were uncovered during a 2026 re-audit of FatFs, which had previously undergone a 2017 security review with minimal findings. This time, researchers leveraged GitHub Copilot in auto mode to automate fuzzing and exploit validation, revealing issues that manual testing had missed. The flaws affect numerous platforms, including:

  • Espressif ESP-IDF
  • STMicroelectronics STM32Cube
  • Zephyr RTOS
  • MicroPython
  • ArduPilot
  • RT-Thread
  • Mbed
  • Samsung TizenRT
  • SWUpdate

Downstream devices such as security cameras, voting machines, ATMs, drones, and industrial controllers are at risk, particularly those lacking modern memory protections like ASLR. Physical access to vulnerable devices could allow attackers to gain full control, while two flaws (CVE-2026-6682, CVE-2026-6683) also enable remote exploitation via firmware updates.

Vulnerability Breakdown

  1. CVE-2026-6682 (CVSS 7.6) – FAT32 integer overflow in mount_volume() leading to heap/stack corruption and potential code execution.
  2. CVE-2026-6687 (CVSS 7.6) – exFAT label-length stack overflow causing memory corruption.
  3. CVE-2026-6688 (CVSS 7.6) – Long filename overflow in downstream code, risking buffer overflows via strcpy/sprintf.
  4. CVE-2026-6685 (CVSS 6.1) – Unsigned subtraction wrap in dirty-cache handling, risking silent data corruption.
  5. CVE-2026-6683 (CVSS 4.6) – exFAT divide-by-zero in sync/write paths, causing crashes or bricking during firmware updates.
  6. CVE-2026-6686 (CVSS 4.6) – Uninitialized cluster exposure, leaking stale deleted file data.
  7. CVE-2026-6684 (CVSS 4.6) – GPT partition scan loop in pre-R0.16 versions, enabling boot-time denial-of-service.

Patch Status and Challenges

FatFs is maintained by a single developer, who did not respond to disclosure attempts. JPCERT/CC was also unable to facilitate coordination. Only one flaw (CVE-2026-6684) has an upstream fix (in R0.16), but vendors must manually integrate it into their vendored copies. The lack of a responsive maintainer and widespread custom modifications by vendors complicate patching, mirroring delays seen in past disclosures like PixieFail (2024).

Proof-of-Concept and Current Threat

runZero released proof-of-concept disk images, a test harness, and a QEMU-based exploit demo in a public repository. As of the disclosure date, no active attacks had been reported. However, the automated tooling used to find these flaws is now widely accessible, increasing the risk of future exploitation.

The vulnerabilities underscore the long-term risks of widely embedded, minimally maintained components in critical infrastructure and consumer devices.

Source: https://securityaffairs.com/194808/security/seven-bugs-in-fatfs-put-iot-and-embedded-devices-at-risk.html

Zero Axis cybersecurity rating report: https://www.rankiteo.com/company/zeroaxistech

The Zephyr Project cybersecurity rating report: https://www.rankiteo.com/company/the-zephyr-project

Espressif Systems cybersecurity rating report: https://www.rankiteo.com/company/espressif-systems

STMicroelectronics cybersecurity rating report: https://www.rankiteo.com/company/stmicroelectronics

ArduPilot cybersecurity rating report: https://www.rankiteo.com/company/ardupilot

"id": "ZERTHEESPSTMARD1783341911",
"linkid": "zeroaxistech, the-zephyr-project, espressif-systems, stmicroelectronics, ardupilot",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Embedded Systems',
                        'name': 'Espressif ESP-IDF',
                        'type': 'Platform'},
                       {'industry': 'Embedded Systems',
                        'name': 'STMicroelectronics STM32Cube',
                        'type': 'Platform'},
                       {'industry': 'Embedded Systems',
                        'name': 'Zephyr RTOS',
                        'type': 'Platform'},
                       {'industry': 'Embedded Systems',
                        'name': 'MicroPython',
                        'type': 'Platform'},
                       {'industry': 'Drones/Robotics',
                        'name': 'ArduPilot',
                        'type': 'Platform'},
                       {'industry': 'Embedded Systems',
                        'name': 'RT-Thread',
                        'type': 'Platform'},
                       {'industry': 'Embedded Systems',
                        'name': 'Mbed',
                        'type': 'Platform'},
                       {'industry': 'Embedded Systems',
                        'name': 'Samsung TizenRT',
                        'type': 'Platform'},
                       {'industry': 'Embedded Systems',
                        'name': 'SWUpdate',
                        'type': 'Platform'},
                       {'customers_affected': 'Security cameras, voting '
                                              'machines, ATMs, drones, '
                                              'industrial controllers',
                        'type': 'Device'}],
 'attack_vector': ['Physical access to storage media',
                   'Remote exploitation via firmware updates'],
 'data_breach': {'type_of_data_compromised': 'Stale deleted file data'},
 'date_detected': '2026',
 'date_publicly_disclosed': '2026-07-06',
 'description': 'Cybersecurity firm runZero disclosed seven vulnerabilities in '
                'FatFs, a widely used open-source filesystem library for '
                'embedded and IoT devices. The flaws can lead to memory '
                'corruption, crashes, data leaks, or remote code execution '
                'when devices process maliciously crafted storage media. The '
                'vulnerabilities affect numerous platforms and downstream '
                'devices such as security cameras, voting machines, ATMs, '
                'drones, and industrial controllers.',
 'impact': {'data_compromised': 'Stale deleted file data (CVE-2026-6686)',
            'downtime': 'Crashes or bricking (CVE-2026-6683, CVE-2026-6684)',
            'operational_impact': 'Potential remote code execution, memory '
                                  'corruption, data leaks',
            'systems_affected': 'IoT and embedded devices using FatFs'},
 'investigation_status': 'Publicly disclosed, no active attacks reported',
 'lessons_learned': 'The vulnerabilities underscore the long-term risks of '
                    'widely embedded, minimally maintained components in '
                    'critical infrastructure and consumer devices.',
 'post_incident_analysis': {'corrective_actions': 'Manual patching, vendor '
                                                  'coordination, and enhanced '
                                                  'security reviews for '
                                                  'embedded components',
                            'root_causes': 'Lack of responsive maintainer, '
                                           'widespread custom modifications by '
                                           'vendors, and minimal memory '
                                           'protections in affected devices'},
 'recommendations': 'Vendors should manually integrate the upstream fix for '
                    'CVE-2026-6684 and audit their FatFs implementations for '
                    'other vulnerabilities. Users should monitor for updates '
                    'from their device manufacturers.',
 'references': [{'source': 'runZero'},
                {'source': 'GitHub repository (proof-of-concept)'}],
 'response': {'communication_strategy': 'Public disclosure by runZero',
              'remediation_measures': 'Manual integration of upstream fix '
                                      '(R0.16 for CVE-2026-6684)',
              'third_party_assistance': 'JPCERT/CC (unsuccessful '
                                        'coordination)'},
 'title': 'Seven Critical Vulnerabilities in FatFs Expose IoT and Embedded '
          'Devices to Attacks',
 'type': 'Vulnerability Disclosure',
 'vulnerability_exploited': ['CVE-2026-6682 (FAT32 integer overflow)',
                             'CVE-2026-6687 (exFAT label-length stack '
                             'overflow)',
                             'CVE-2026-6688 (Long filename overflow)',
                             'CVE-2026-6685 (Unsigned subtraction wrap)',
                             'CVE-2026-6683 (exFAT divide-by-zero)',
                             'CVE-2026-6686 (Uninitialized cluster exposure)',
                             'CVE-2026-6684 (GPT partition scan loop)']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.