IoT

7 vulnerabilities found in widely used FatFs library

Security firm runZero has disclosed seven vulnerabilities in FatFs, a filesystem library used by numerous devices to read and write FAT and exFAT formats. These flaws, ranging in severity from medium to high, could allow attackers to corrupt device memory or execute their own code. The vulnerabilities were discovered using AI-powered fuzzing tools, highlighting a growing trend in security research, with further coverage provided by The Hacker News.

The seven vulnerabilities in FatFs, a library embedded in firmware for devices like security cameras, drones, and industrial controllers, were found to be reachable through malformed USB drives, SD cards, or firmware update files. The most critical flaw, CVE-2026-6682, is an integer overflow during FAT32 volume mounting that can lead to memory corruption and code execution. Other high-severity bugs include buffer overflows related to volume labels and long filenames. Medium-severity issues involve data corruption from math wraps in cache handling and a divide-by-zero error in exFAT that can brick devices. The library's maintainer has been unresponsive to requests for fixes, leaving downstream vendors responsible for patching their products.

Affected platforms include Espressif ESP-IDF, STM32Cube, and Zephyr, impacting consumer IoT, industrial gear, and crypto wallets. While no attacks have been reported, proof-of-concept exploits are publicly available, and runZero advises users to treat physical ports and update channels as potential attack surfaces.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds