defense · TheHackerNews
Security firm runZero has disclosed seven vulnerabilities in FatFs, a filesystem library used in millions of embedded devices including security cameras, drones, industrial controllers, hardware crypto wallets, and real-time operating systems. The flaws range from CVSS 4.6 to 7.6 (Medium to High severity). The most critical bugs—CVE-2026-6682, CVE-2026-6687, and CVE-2026-6688—enable memory corruption and arbitrary code execution when a device processes malformed USB drives, SD cards, or firmware updates. An attacker with brief physical access to a device can exploit these flaws to gain full control. According to runZero, FatFs is maintained by a single developer with no active security coordination process, and upstream patches exist only for one of the seven issues.
Defense contractors integrating embedded systems or IoT devices into supply chains should audit their use of FatFs and related filesystem handling, particularly where devices accept external media or firmware updates—a significant CMMC concern for CUI protection. Healthcare providers deploying connected medical devices and SaaS teams shipping firmware updates or hardware integrations should treat physical ports and update channels as part of their attack surface and plan for vendor patching timelines that may extend months or years. Fintech and payment companies managing hardware crypto wallets and ATMs face particular risk, given that one flaw enables code execution via firmware update channels. An Omniware engagement can scope embedded-system dependencies, firmware update security, and physical-access threat models in detail.
Source: The Hacker News - https://thehackernews.com/2026/07/unpatched-flaws-disclosed-in-filesystem.html
Source: TheHackerNews
All briefings