Security firm runZero has disclosed seven unpatched vulnerabilities in FatFs, a small filesystem library that enables reading and writing of FAT and exFAT formats on USB drives and SD cards. The flaws affect a library that is deeply embedded in the firmware of millions of devices, creating a broad attack surface.
The vulnerabilities are significant due to FatFs's widespread use. The library ships inside firmware for security cameras, drones, industrial controllers, hardware crypto wallets, and other embedded systems. The full scope of affected devices and the specific CVSS scores have not yet been detailed.
Technical details from runZero's disclosure indicate the flaws involve memory handling and parsing issues within the library's FAT/exFAT implementation. Exploitation could potentially allow an attacker to gain code execution or cause a denial of service by tricking a device into processing a maliciously crafted filesystem image from a removable drive.
As of now, no patches are available for the disclosed vulnerabilities. runZero's report did not specify whether the library's maintainer has acknowledged the issues or provided a timeline for fixes. Device manufacturers that rely on FatFs will need to coordinate updates downstream.
The disclosure highlights the challenge of securing ubiquitous open-source components in embedded systems, where updates are often slow to deploy and users have limited visibility into dependencies.