All news

Seven FatFs bugs put millions of embedded devices at risk — mostly unpatched

runZeroSummarized by the ORA·tech AI assistant
SEC

runZero disclosed seven CVEs in FatFs — the FAT/exFAT filesystem driver embedded across ESP-IDF, STM32Cube, Zephyr, MicroPython, ArduPilot and more. The worst, CVE-2026-6682 (CVSS 7.6), is an integer overflow during FAT32 mount that forges file-size metadata and can lead to memory corruption and code execution. Only one of the seven is fixed upstream (R0.16); with the maintainer unresponsive, most remain open.

runZero researchers disclosed seven vulnerabilities in FatFs, the lightweight FAT/exFAT filesystem library embedded across a huge range of hardware platforms: Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr RTOS, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT and SWUpdate — reaching into consumer IoT, industrial controllers, drones and crypto wallets. As of the July 1, 2026 disclosure, no real-world attacks had been observed.

Key points

  • CVE-2026-6682 (CVSS 7.6) is the headline bug: an integer overflow in core mount arithmetic yields attacker-controlled file-size metadata that downstream code trusts, leading to heap/stack overflow and possible code execution on real hardware.
  • All seven CVEs rate Medium to High — none are Critical.
  • Only CVE-2026-6684 (a GPT partition-scan DoS) is fixed upstream, in FatFs R0.16; pre-R0.16 builds remain vulnerable.
  • runZero found the bugs using VS Code + GitHub Copilot in "auto" mode with basic prompts — no custom fuzzing or harnesses — surfacing issues missed in a manual 2017 audit.
  • Repeated attempts to reach the maintainer and coordinate via JPCERT/CC went unanswered; the project has no security mailing list, leaving downstream vendors unaware.
  • The team shipped proof-of-concept disk images, a test harness and a working QEMU-based exploit alongside the disclosure.
#FatFs#embedded#IoT#CVE#runZero
This summary was written by the ORA·tech AI assistant. Read the original for full context.

Related

Chào bạn, mình là Nova. Có phần nào bạn muốn hiểu kỹ hơn không? Cứ nói với mình nhé.