Seven FatFs Library Bugs Expose Millions of Embedded Devices to Code Execution

Seven unpatched vulnerabilities in the widely embedded FatFs library enable memory corruption and code execution through malicious USB drives, SD cards, or firmware updates.

CSBadmin
3 Min Read

Vulnerabilities Across the Ecosystem

Security firm runZero has disclosed seven vulnerabilities in FatFs, a lightweight filesystem library widely used in embedded devices. FatFs enables reading and writing of FAT and exFAT formats on USB drives and SD cards, and it is bundled into firmware for security cameras, drones, industrial controllers, hardware crypto wallets, and other real-time operating system devices. The most severe flaws allow an attacker who introduces a malicious USB drive, SD card, or firmware update file to corrupt device memory and execute arbitrary code. Because many embedded systems lack the memory protection found in desktop and mobile operating systems, runZero warns that physical access can effectively lead to a full jailbreak.

The vulnerabilities all stem from the same root cause: when a device attempts to read a deliberately malformed storage volume or firmware image, FatFs mishandles the corrupted data. The highest severity flaw is CVE-2026-6682, an integer overflow in FAT32 mount handling that can lead to memory corruption and code execution, reachable through some firmware update channels. Other high severity vulnerabilities include an exFAT volume label buffer overflow and a long filename overflow in wrapper code. Medium severity bugs involve cache math errors, divide by zero crashes, data leakage from extended files, and partition table parsing hangs.

Patch Challenges and Downstream Impact

The patching situation is particularly difficult because FatFs is maintained by a single developer who has not responded to runZero’s disclosure attempts, despite coordination through Japan’s JPCERT/CC. Only one of the seven vulnerabilities, a GPT partition table hang issue, has been fixed upstream in FatFs R0.16. The remaining memory corruption bugs have no official fix, no security mailing list, and no mechanism for affected vendors to learn about the problems. This forces downstream vendors to patch independently.

Affected platforms include Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and the SWUpdate updater. runZero has released proof of concept exploit code, disk images, and a test harness publicly. No active exploitation has been reported, but runZero discovered these vulnerabilities using an AI assisted fuzzing pipeline, demonstrating that similar automated tools could be used by attackers. The company recommends that device vendors audit their FatFs wrapper code, particularly around filename and file size handling, and that organizations treat physical ports and firmware update channels as critical attack surfaces.

Source: The Hacker News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.