cognitive cybersecurity intelligence

News and Analysis

Search

Multiple FatFs Vulnerabilities Expose Millions of Embedded Devices to Cyber Risks

Multiple FatFs Vulnerabilities Expose Millions of Embedded Devices to Cyber Risks

Security researchers at runZero have disclosed seven new CVEs affecting FatFs, the ubiquitous lightweight FAT/exFAT filesystem driver used across embedded and IoT ecosystems.

The vulnerabilities range from CVSS Medium to High, with no Critical-rated findings, but their reach is significant: FatFs underpins platforms including Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr RTOS, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and SWUpdate, extending into consumer IoT, industrial controllers, drones, and crypto wallets.

The research revisits a 2017 manual audit and fuzzing effort that surfaced only minor bugs. In March 2026, runZero reapproached the codebase using Visual Studio Code and GitHub Copilot in “auto” mode, without custom harnesses or fuzzing loops.

The LLM-assisted approach uncovered previously overlooked bugs and helped validate real-world exploitability across multiple embedded scenarios, highlighting the growing role of AI in long-tail supply chain vulnerability research.

FatFs Vulnerabilities

CVE-2026-6682 (CVSS 7.6, High) — Integer overflow in mount_volume() during FAT32 mounting produces attacker-controlled file-size metadata, potentially leading to heap or stack overflow and code execution.

CVE-2026-6687 (CVSS 7.6, High) — An uncapped exFAT label-length field in f_getlabel() enables oversized writes into caller-provided stack buffers, creating a clean memory-corruption primitive.

CVE-2026-6688 (CVSS 7.6, High) — When long filenames (LFN) are enabled, oversized fno.fname values overflow fixed-size buffers in downstream callers using strcpystrcpystrcpy or sprintfsprintfsprintf. Fixing this fully requires wrapper-level changes, though FatFs could improve truncation signaling.

CVE-2026-6685 (CVSS 6.1, Medium) — Unsigned-subtraction wraparound in dirty-cache handling on fragmented volumes causes stale cache behavior and out-of-bounds memory effects, risking silent data corruption.

CVE-2026-6683 (CVSS 4.6, Medium) — A divide-by-zero in exFAT sync/write paths, triggerable via crafted media, creates reliable crash conditions — particularly concerning for OTA update processes.

CVE-2026-6686 (CVSS 4.6, Medium) — Seeking beyond EOF exposes uninitialized cluster data, leaking stale content from previously deleted files in shared-media or multi-stage boot environments.

CVE-2026-6684 (CVSS 4.6, Medium) — Pre-R0.16 implementations lack GPT entry-count validation, allowing unbounded partition-scan loops and mount-time denial-of-service. Upstream R0.16 already addresses this; the burden now falls on downstream upgrades.

These flaws are triggerable through crafted FAT, exFAT, or GPT images via removable media or auto-mounted update channels. Devices lacking ASLR and memory protection, common in embedded contexts, mean that physical access can translate directly into a full compromise.

Affected device classes include security cameras, ATMs, voting machines, and any hardware with USB or SD card interfaces accessible to the public.

runZero attempted multiple times to contact the FatFs maintainer and involved JPCERT/CC early in the process, but received no response. Because most implementers maintain heavily vendored, locally modified versions of FatFs, upstream patches require careful validation before adoption.

Downstream implementers are urged to audit vendored FatFs code, review filename and file-size handling in wrappers, and prepare for patch rollouts.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post Multiple FatFs Vulnerabilities Expose Millions of Embedded Devices to Cyber Risks appeared first on Cyber Security News.

Source: cybersecuritynews.com –

Subscribe to newsletter

Subscribe to HEAL Security Dispatch for the latest healthcare cybersecurity news and analysis.

More Posts