Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: firmware (2 articles)Clear

Seven flaws in the FatFs library expose millions of embedded devices, mostly unpatched

Researchers at runZero disclosed seven vulnerabilities in FatFs, a tiny filesystem library that lets devices read FAT and exFAT media like USB drives and SD cards and that is bundled into the firmware of countless embedded and industrial products. The most serious, CVE-2026-6682, is an integer overflow when mounting a FAT32 volume that can lead to memory corruption and code execution, and several bugs are reachable through firmware update flows, not just physical media. The hard part is patching: FatFs is maintained by a single developer who did not respond to the researchers, so most of the memory-corruption flaws have no upstream fix and downstream vendors may never learn they are affected.

Check
Inventory devices and firmware that bundle the FatFs library, especially anything that mounts USB, SD-card, or externally supplied filesystem images or accepts firmware updates, and ask vendors whether their products include FatFs.
Affected
Embedded, industrial, and consumer devices that bundle FatFs to read FAT or exFAT media (CVE-2026-6682 and six others); malicious media or update images can crash devices or corrupt memory toward code execution.
Fix
Where possible, restrict which USB, SD-card, and update-image sources a device will mount, isolate affected devices, and press vendors for firmware updates, since most of these flaws have no upstream fix.

Deploy 2023 Secure Boot certificates before Microsoft's 2011 ones expire this week

The original 2011 Microsoft certificates that underpin UEFI Secure Boot begin expiring in late June 2026, and organizations that have not rolled out the replacement 2023 certificates risk a slow erosion of boot-level security. Devices will keep starting normally, but once the old certificate authorities lapse they stop receiving Secure Boot updates for pre-boot components, leaving them more exposed to bootkits, and future bootloaders signed only with the new keys may fail to verify. Most consumer Windows PCs receive the 2023 certificates automatically through Windows Update, but Windows Server and many self-managed or older fleets need manual action. A second certificate that signs the Windows bootloader expires in October.

Check
Inventory Windows devices and servers with Secure Boot enabled and check whether the 2023 certificates are present using the Windows Security app, the UEFICA2023Status registry value, or System log Event ID 1808.
Affected
Windows devices, servers, and VMs still relying on the 2011 Secure Boot certificates; Windows Server and self-managed systems are most at risk because they do not receive the 2023 certificates automatically.
Fix
Apply current cumulative and OEM firmware updates, deploy the 2023 KEK and DB certificates (manually on servers), verify completion, and suspend BitLocker if prompted during the update to avoid recovery prompts.