RUNZERO has identified seven significant vulnerabilities in FatFs, a filesystem library widely used in IoT and embedded devices. These flaws, affecting platforms like Espressif ESP-IDF and STMicroelectronics STM32Cube, can lead to memory corruption, crashes, and data leaks through maliciously crafted storage devices. Severity ratings range from Medium to High. Key issues include integer overflow, stack overflow, and memory corruption due to improper handling of file metadata.
Most devices using FatFs lack modern memory protections, increasing the risk of exploitation with physical access. Mirroring a 2017 audit, the security improvements were largely due to automated testing with AI tools. Six of the vulnerabilities currently have no upstream patch, necessitating device manufacturers to audit their versions of FatFs and ensure proper security responses.