Harness Scaffolds

Fuzz any library

Drop-in libFuzzer / AFL++ harness scaffolds for 60+ of the most-fuzzed open-source libraries. Each page shows the entry point, common bug classes, and recommended sanitizers.

Image

The reference PNG decoder — heavily fuzzed, yet bugs keep surfacing.

SIMD-accelerated JPEG codec — performance optimisations add uncommon code paths.

Google's WebP codec — a single critical bug here puts billions of devices at risk.

TIFF's flexibility is its attack surface — hundreds of tag/codec combinations rarely all get tested.

GIF's vintage LZW decoder is deceptively tricky to implement without boundary errors.

HEIF is the iPhone default image format — and libheif parses deeply nested container boxes.

JPEG 2000's wavelet decoder has integer-overflow-prone arithmetic at every resolution level.

libvips parallelises image processing via a lazy pipeline — race-prone and worth fuzzing.

Codec

The universal media Swiss-army knife — every container format is an attack surface.

The most widely deployed H.264 encoder — encoder bugs can corrupt every transcoded stream.

HEVC's coding-tree architecture multiplies the buffer-sizing complexity versus H.264.

Opus blends two codecs in one bitstream — SILK and CELT have separate bug surfaces.

Vorbis's VQ codebooks and floor curves involve arithmetic that is easy to overflow.

LAME (libmp3lame)C

Decades of MP3 encoder tuning leave corner cases in psychoacoustic model arithmetic.

Crypto

Heartbleed proved that a single OOB read in OpenSSL breaks the entire internet.

libsodium trades footprint for correctness — fuzzing validates those guarantees hold.

The embedded TLS stack — resource constraints mean less overflow headroom.

A FIPS-certified TLS library for RTOS and automotive — correctness claims demand verification.

GnuTLS's crypto backend — a bug here silently undermines every GnuTLS session.

GnuPG's cryptographic heart — its S-expression parser processes untrusted key material.

Chrome and Android's TLS stack — security regressions here are patched globally within hours.

A portable crypto toolkit common in embedded firmware — wide deployment, niche test coverage.

Compression

zlib is in everything — a single inflate bug surfaces in PNG, HTTP, Git, and thousands more.

Zstandard (zstd)C

zstd's FSE entropy coder has non-trivial table arithmetic that rewards fuzzing.

LZ4's speed comes from minimal safety checks — a single length miscalculation overflows.

Chrome ships brotli for HTTPS compression — a decode bug reaches every web user.

Google's speed-first compressor — used in LevelDB, Cassandra, and Hadoop.

bzip2 is aging and under-fuzzed — its BWT state machine has never had a full audit.

After the 2024 backdoor incident, xz-utils is the most scrutinised compression library in existence.

Parser

The most widely used XML parser in existence — a bug here affects every Linux system.

Python's xml.parsers.expat wraps this — a single overflow cascades into the interpreter.

YAML's indentation-sensitivity makes its scanner a rich target for stack-blowing inputs.

A popular C++ JSON library — deeply nested arrays can exhaust the call stack.

yaml-cpp's recursive emitter and parser share fragile depth assumptions.

Protobuf's wire format is compact but its C deserializer has manual length arithmetic.

TOML config files are user-supplied — any parser that trusts them needs fuzzing.

jq processes untrusted JSON from the network — its query compiler is a hidden attack surface.

Archive

One library, 30 archive formats — each is a separate bug surface with shared allocation logic.

ZIP64 extensions double the integer surface — oversized field values corrupt allocations.

RAR's proprietary format means limited independent auditing — fuzzing fills the gap.

7-Zip's Linux port processes dozens of formats — each format reader is a distinct bug surface.

Network

Billions of devices use libcurl — a URL parse bug here is a universal vulnerability.

nghttp2 powers nginx and curl HTTP/2 — HPACK decompression is a compact integer-overflow surface.

A server-side SSH implementation in C — a parse bug here means pre-auth remote code execution.

PHP and curl use libssh2 for SFTP — a channel overflow here is remotely exploitable.

Node.js and curl use c-ares for DNS — a crafted DNS response can corrupt the heap.

GnuTLS is the TLS stack for GNOME and glib-networking — certificate parsing bugs affect the desktop.

Database

SQLite is in every smartphone, browser, and OS — a query parser bug is universally exploitable.

LMDB maps the database file directly into memory — a corrupt file can write anywhere.

Chrome's IndexedDB and many blockchain nodes use LevelDB — a corrupt SSTable crashes both.

MySQL, MongoDB, and TiKV embed RocksDB — SST corruption in any of them triggers this code.

Font

Font rendering library used by Linux, Android, and major browsers — long CVE history

Cross-platform text shaping engine used in Chrome, Firefox, Android, and macOS

Font discovery and configuration library on every Linux desktop

Audio/Video

VP8 and VP9 reference codec library used by Chrome, WebRTC, and Android

Media codec library — long-standing FFmpeg fork, still in many distros

Theora video codec reference implementation — older format, still embedded in many tools

Binary

Multi-architecture disassembly engine used by every reverse-engineering tool on Linux

GNU binary utilities — BFD library, objdump, readelf — historical CVE goldmine

ELF object file library used by every Linux toolchain and debugger