logo

Seven FatFs bugs, one very large blast radius

ID: 4cc88d35-683e-5c4e-8e48-64d22e851a9c

STIX ID: report--4cc88d35-683e-5c4e-8e48-64d22e851a9c

Feed Name: runZero Blog

Threat Score
75/100

Date Published: 2026-07-01

Date Updated: 2026-07-02

Author: todb

...
...

RunZero published a coordinated disclosure of seven FatFs vulnerabilities (multiple CVEs) affecting FAT/exFAT/GPT parsing used across many embedded ecosystems (Espressif ESP‑IDF, STMicroelectronics STM32Cube, Zephyr, MicroPython, ArduPilot, Mbed, and more). The flaws range from high-severity integer- and stack-overflows with RCE/heap/stack-corruption potential to medium-severity DoS and information-leak issues; the post warns downstream implementers to audit vendored copies, wrappers, and OTA/update handling and points to PoC images and a test harness in a companion repository.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.