Handcrafted bitflipping machines.

Fuzzing is one of the rare automated vulnerability techniques that proved its efficiency for the past decades. This article aims to explain how to design and write a modern unix-compatible fuzzer, comparable to AFL++, libFuzzer or LibAFL, from scratch. It’s assumed the reader knows Rust and has a basic understanding of what a fuzzer is. Today I’m releasing Astra, a Rust fuzzer made from scratch. This work wouldn’t have been possible without the excellent work of peers that published papers about novel approaches, developed, maintained and documented great open-source fuzzers. Open-source projects are often taken for granted, but in reality they exist because a small community is dedicating their time and efforts for everyone. Feel free to contribute in your way, resolve a good first issue on AFL++ or LibAFL, donate a coffee to the AFLplusplus organization, write documentation or simply use and share their work. ...

Introduction As you may know: finding bugs is one of the greatest things in life — but once you finally obtain the precious memory corruption you were praying for, you still need to actually understand it. In this article we’ll explore how to conduct a root-cause analysis of a vulnerability in a Linux open-source program that we compiled ourselves. That matters because it lets us disable stripping and enable debug symbols, which makes the investigation dramatically easier. ...

Harnessing Libraries for Effective Fuzzing Introduction Every security researcher or fuzzer enthusiast dreams of a program that takes a file as input, achieves deep coverage, and executes with lightning speed. Unfortunately, in the real world, only a handful of targets meet this ideal, making it unwise to “dumb fuzz” them (and you shouldn’t! See this guide). Most targets are not fuzzable out of the box and require you, the researcher, to do some heavy lifting to enable efficient fuzzing. In this article, we will explore how to fuzz a library, from the basics to persistent mode. Our focus will be on Freetype, a widely used software library for accessing font file contents. ...

Introduction Have you ever tried to build furniture and somehow you got more (or less) parts than what you’d expect. You end up with a tiny stick of wood and 3 screws and your furniture seems to be done ? Reading the documentation is for the weak so you pull up your phone and ask ChatGPT: How many of those things I should have ? You check by yourself and what on Earth is ChatGPT yapping about ? There is now way there are that many parts left in the bag and 5 are already in the wardrobe. But wait, since a while now GPT (and others) accept document input. So, smart as you are, you download the instruction and immediately send it ! ...

Introduction In this chapter we’ll dive into grey-box fuzzing on closed-source Windows binaries (PE executables) using WinAFL. The appeal is simple: Windows grey-box fuzzing has more friction (tooling, reversing, patching, debugging), so fewer people do it seriously — which means the targets are often less explored and the odds of finding interesting bugs can be higher. By the end of this tutorial you will be able to: run WinAFL with DynamoRIO on a Windows PE target, patch “GUI blockers” that prevent automation, compute a correct target_offset, launch a fuzzing campaign and triage a crash. What you’ll need to overcome To fuzz a closed-source Windows binary effectively, you usually must: ...

Summary CVE: CVE-2025-43254 Component: libmacho.dylib Vulnerability Type: Out-of-bounds memory access Vendor: Apple Severity: Medium Product: macOS Affected Versions: Sonoma, Sequoia, Ventura Fix Status: Fixed by vendor (Apple Security Update) Credit: 2ourc3 Description A security vulnerability has been identified in macOS’s libmacho.dylib. The bug allows an attacker to trigger an out-of-bounds memory access using a specially crafted Mach-O fat binary, potentially leading to information disclosure or remote code execution (depending on memory layout and exploitation constraints). ...

Summary CVE: CVE-2024-6773 Component: V8 Turboshaft (Load Elimination) Vulnerability Type: Type confusion → memory corruption (stale pointer across GC) Vendor: Google Product: Chrome / V8 JavaScript Engine Affected Versions: Chrome versions prior to M126 Fix Status: Fixed (V8 main + backports to M126 Stable / M127 Beta) Severity: Chrome S1 Credit: Salim Largo (2ourc3) Description CVE-2024-6773 is a critical type confusion vulnerability in the V8 Turboshaft compiler pipeline, specifically within the Load Elimination optimization phase. ...

Summary CVE: CVE-2024-11612 Component: 7-Zip (CopyCoder / stream processing) Vulnerability Type: Infinite loop → Denial of Service (DoS) Vendor: 7-Zip Product: 7-Zip Impact: Unbounded decompression loop / CPU hang Discoverer / Credit: 2ourc3 (Salim Largo) Disclosure: Reported via Zero Day Initiative (ZDI) Advisory: ZDI-24-1606 Description During a fuzzing campaign against 7-Zip, an input was discovered that causes the decompression process to run forever. When the crafted archive is opened, 7-Zip remains stuck in a “decompressing” state without terminating, resulting in a denial-of-service condition. ...

Summary CVE: CVE-2024-53589 Component: objdump / BFD tekhex parser Vulnerability Type: Buffer overflow / out-of-bounds read Vendor: GNU Project Product: GNU Binutils Affected Versions: 2.43 (and potentially earlier) Fix Status: Fixed (commit e0323071916878e0634a6e24d8250e4faff67e88) Credit: 2ourc3 Description A vulnerability exists in GNU Binutils’ objdump utility when processing tekhex format files. The issue occurs inside the Binary File Descriptor (BFD) library’s tekhex parser during format identification. In the failing case, the parser attempts to read 8 bytes from an address that precedes the global variable _bfd_std_section, resulting in an out-of-bounds read. This invalid read is reachable with a crafted tekhex file and can be triggered simply by running objdump on the file. ...