Home

Awesome

afl-cve

A collection of vulnerabilities discovered by the AFL fuzzer (afl-fuzz)

Introduction

afl-cve is a collection of known vulnerabilities that can be attributed to the AFL fuzzer afl-fuzz. All vulnerabilities in this list either already have a CVE assigned, or a CVE has been requested from a CVE Numbering Authority.

Why is This Necessary?

Because CVE descriptions are not generally being written to mention AFL as the tool that enabled particular bugs to be found. This is primarily due to the fact that CVE descriptions do not require the underlying discovery tool or technique to be disclosed. Nor should it necessarily - many security researchers have their own methods, and it might hurt the vulnerability reporting process if researchers were required to disclose such techniques. Further, most security researchers do acknowledge AFL in some form (twitter post, afl-users mailing list, etc.) when it finds a bug, and afl-cve attempts to track this more formally.

Also, the afl-fuzz website does a great job of tracking bugs found by AFL. But not all bugs get assigned a CVE, and hence there is a need to specifically track those that do because having a CVE is at least a tacit acknowledgment of potential exploitability. So, the bugs AFL has found are therefore frequently important for anyone concerned about security.

Fuzzing Revisited

AFL has discovered a huge number of bugs in all sorts of projects from compilers to image processing libraries. AFL seems to be succeeding where other fuzzers have failed, or at least not been generally embraced or made operational by the security community for whatever reason. Another way to see this is to try to determine which fuzzer has the most CVE's. Is there a different fuzzing project that comes close to AFL in terms of the number of vulnerabilities found? It would be instructive to see which fuzzer comes in second place and by how much.

The Vulnerabilities

This is likely a partial list, but please send a pull request or contact me below to include any CVE that is not included below:

Project / SoftwareCVE NumberMetasploit
bashCVE-2014-6277NA
bashCVE-2014-6278scanner,exploit1,exploit2
libjpegCVE-2013-6629NA
libpngCVE-2014-9495NA
libpngCVE-2015-8126NA
BINDCVE-2015-5477NA
BINDCVE-2015-5722NA
BINDCVE-2015-5986NA
Xerces-CCVE-2015-0252NA
Xerces-CCVE-2016-0729NA
Xerces-CCVE-2016-4463NA
ImageIOCVE-2015-5781NA
ImageIOCVE-2015-5782NA
libtiffCVE-2014-8127NA
libtiffCVE-2014-8128NA
libtiffCVE-2014-8129NA
libtiffCVE-2014-8130, Debian AdvisoryNA
libtiffCVE-2016-10092NA
libtiffCVE-2016-10093NA
libtiffCVE-2016-10094NA
libtiffCVE-2016-10095NA
firefoxCVE-2014-1564NA
firefoxCVE-2014-1580NA
firefoxCVE-2014-8637NA
flashCVE-2015-0329NA
flashCVE-2015-0323NA
muttCVE-2014-9116NA
clamavCVE-2015-1463NA
clamavCVE-2015-2170NA
clamavCVE-2015-2221NA
clamavCVE-2015-2222NA
X.orgCVE-2015-1802NA
X.orgCVE-2015-1803NA
X.orgCVE-2015-1804NA
libwmfCVE-2015-0848NA
libwmfCVE-2015-4695NA
libwmfCVE-2015-4696NA
tidyCVE-2015-5522NA
tidyCVE-2015-5523NA
patchCVE-2014-9637NA
opensslCVE-2015-1788NA
opensslCVE-2015-0288NA
opensslCVE-2015-3193NA
gnutlsCVE-2014-8564NA
libmspackCVE-2014-9556NA
libmspackCVE-2014-9732NA
libmspackCVE-2015-4467NA
libmspackCVE-2015-4468NA
libmspackCVE-2015-4469NA
libmspackCVE-2015-4470NA
libmspackCVE-2015-4471NA
libmspackCVE-2015-4472NA
QtCVE-2015-1858NA
QtCVE-2015-1859NA
QtCVE-2015-1860NA
unaceCVE-2015-2063NA
ARJCVE-2015-2782NA
t1utilsCVE-2015-3905NA
Android (libstagefright)CVE-2015-1538NA
Android (libstagefright)CVE-2015-1539NA
Android (libstagefright)CVE-2015-3824NA
Android (libstagefright)CVE-2015-3826NA
Android (libstagefright)CVE-2015-3827NA
Android (libstagefright)CVE-2015-3828NA
Android (libstagefright)CVE-2015-3829NA
antiwordCVE-2014-8123NA
ArduinoJsonCVE-2015-4590NA
CUPSCVE-2014-9679NA
Cap'n ProtoCVE-2015-2310NA
Cap'n ProtoCVE-2015-2312NA
libtasn1CVE-2015-3622NA
libtasn1CVE-2016-4008NA
UnRTFCVE-2014-9274NA
UnRTFCVE-2014-9275NA
unzipCVE-2015-1315, Debian AdvisoryNA
unzooCVE-2015-1845, Red Hat AdvisoryNA
unzooCVE-2015-1846, Red Hat AdvisoryNA
GhostscriptCVE-2015-3228, Red Hat AdvisoryNA
GnuPGCVE-2015-1606NA
GnuPGCVE-2015-1607NA
libksbaCVE-2014-9087NA
Microsoft WindowsCVE-2014-6355NA
Microsoft WindowsCVE-2015-0061NA
NTPCVE-2015-7855NA
NTPCVE-2016-7434NA
libxml2CVE-2015-7941NA
libxml2CVE-2015-8035NA
libxml2CVE-2015-8241NA
libxml2CVE-2015-8242NA
libxml2CVE-2015-8317NA
libxml2CVE-2016-4658NA
libxml2CVE-2016-5131NA
PuTTYCVE-2015-5309NA
PowerDNSCVE-2015-5311NA
PHPCVE-2015-0232NA
PHPCVE-2017-5340NA
pngcrushCVE-2015-2158NA
dpkgCVE-2015-0860NA
PCRECVE-2015-8380NA
LHA for UNIXCVE-2016-1925NA
imlib2CVE-2014-9771NA
imlib2CVE-2016-3994NA
jqCVE-2015-8863NA
BotanCVE-2015-5726NA
BotanCVE-2016-2194NA
BotanCVE-2016-2195NA
BotanCVE-2016-2196NA
dosfstoolsCVE-2015-8872NA
dosfstoolsCVE-2016-4804NA
ExpatCVE-2016-0718NA
libarchiveCVE-2015-8915NA
libarchiveCVE-2015-8916NA
libarchiveCVE-2015-8917NA
libarchiveCVE-2015-8918NA
libarchiveCVE-2015-8919NA
libarchiveCVE-2015-8920NA
libarchiveCVE-2015-8928NA
libarchiveCVE-2015-8921NA
libarchiveCVE-2015-8922NA
libarchiveCVE-2015-8923NA
libarchiveCVE-2015-8924NA
libarchiveCVE-2015-8925NA
libarchiveCVE-2015-8926NA
libarchiveCVE-2015-8927NA
libarchiveCVE-2015-8929NA
libarchiveCVE-2015-8930NA
libarchiveCVE-2015-8931NA
libarchiveCVE-2015-8932NA
libarchiveCVE-2015-8933NA
libarchiveCVE-2015-8934NA
libarchiveCVE-2016-5844NA
libarchiveCVE-2016-1541NA
libarchiveCVE-2016-8687NA
libarchiveCVE-2016-8688NA
libarchiveCVE-2016-8689NA
libibertyCVE-2016-2226NA
libibertyCVE-2016-4487NA
libibertyCVE-2016-4488NA
libibertyCVE-2016-4489NA
libibertyCVE-2016-4490NA
libibertyCVE-2016-4491NA
libibertyCVE-2016-4492NA
libibertyCVE-2016-4493NA
libibertyCVE-2016-6131NA
OpenBSDCVE-2016-6239NA
OpenBSDCVE-2016-6240NA
OpenBSDCVE-2016-6241NA
OpenBSDCVE-2016-6242NA
OpenBSDCVE-2016-6243NA
OpenBSDCVE-2016-6244NA
OpenBSDCVE-2016-6245NA
OpenBSDCVE-2016-6246NA
OpenBSDCVE-2016-6247NA
collectdCVE-2016-6254NA
libidnCVE-2016-6261NA
libidnCVE-2016-6263NA
w3mCVE-2016-9422NA
w3mCVE-2016-9423NA
w3mCVE-2016-9424NA
w3mCVE-2016-9425NA
w3mCVE-2016-9426NA
w3mCVE-2016-9427NA
w3mCVE-2016-9428NA
w3mCVE-2016-9429NA
w3mCVE-2016-9430NA
w3mCVE-2016-9431NA
w3mCVE-2016-9432NA
w3mCVE-2016-9433NA
w3mCVE-2016-9434NA
w3mCVE-2016-9435NA
w3mCVE-2016-9436NA
w3mCVE-2016-9437NA
w3mCVE-2016-9438NA
w3mCVE-2016-9439NA
w3mCVE-2016-9440NA
w3mCVE-2016-9441NA
w3mCVE-2016-9442NA
w3mCVE-2016-9443NA
w3mCVE-2016-9622NA
w3mCVE-2016-9623NA
w3mCVE-2016-9624NA
w3mCVE-2016-9625NA
w3mCVE-2016-9626NA
w3mCVE-2016-9627NA
w3mCVE-2016-9628NA
w3mCVE-2016-9629NA
w3mCVE-2016-9630NA
w3mCVE-2016-9631NA
w3mCVE-2016-9632NA
w3mCVE-2016-9633NA
libicalCVE-2016-5823NA
libicalCVE-2016-5824NA
libicalCVE-2016-5825NA
libicalCVE-2016-5826NA
libicalCVE-2016-5827NA
GNU edCVE-2017-5357NA
IrssiCVE-2017-5356NA
IrssiCVE-2017-5193NA
JasPerCVE-2016-8690NA
JasPerCVE-2016-8691NA
JasPerCVE-2016-8692NA
JasPerCVE-2016-8693NA
JasPerCVE-2016-8884NA
JasPerCVE-2016-8885NA
JasPerCVE-2016-8886NA
JasPerCVE-2016-8887NA
JasPerCVE-2016-9387NA
JasPerCVE-2016-9388NA
JasPerCVE-2016-9389NA
JasPerCVE-2016-9390NA
JasPerCVE-2016-9391NA
JasPerCVE-2016-9392NA
JasPerCVE-2016-9393NA
JasPerCVE-2016-9394NA
JasPerCVE-2016-9395NA
JasPerCVE-2016-9396NA
JasPerCVE-2016-9397NA
JasPerCVE-2016-9398NA
JasPerCVE-2016-9399NA
JasPerCVE-2016-9557NA
JasPerCVE-2016-9560NA
JasPerCVE-2017-5502NA
JasPerCVE-2017-5501NA
JasPerCVE-2017-5500NA
JasPerCVE-2017-5499NA
JasPerCVE-2017-5498NA
JasPerCVE-2017-5503NA
JasPerCVE-2017-5504NA
JasPerCVE-2017-5505NA
Adobe Reader DCCVE-2016-4198NA
Adobe Reader DCCVE-2016-6969NA
Adobe Reader DCCVE-2016-6978NA
OpenCVCVE-2016-1516NA
OpenCVCVE-2016-1517NA
WavPackCVE-2016-10169NA
WavPackCVE-2016-10170NA
WavPackCVE-2016-10171NA
WavPackCVE-2016-10172NA
mp3spltCVE-2017-5665NA
mp3spltCVE-2017-5666NA
mp3spltCVE-2017-5851NA
ImageMagickCVE-2016-8677NA
ImageMagickCVE-2016-8678NA
ImageMagickCVE-2016-8862NA
ImageMagickCVE-2016-8866NA
ImageMagickCVE-2016-9556NA
ImageMagickCVE-2016-9559NA
ImageMagickCVE-2017-12983NA
GraphicsMagickCVE-2016-7449NA
GraphicsMagickCVE-2016-8682NA
GraphicsMagickCVE-2016-8683NA
GraphicsMagickCVE-2016-8684NA
libavCVE-2015-5479NA
libavCVE-2016-6832NA
libavCVE-2016-7393NA
libavCVE-2016-7424NA
libavCVE-2016-7477NA
libavCVE-2016-7499NA
libavCVE-2016-8676NA
libavCVE-2016-9819NA
libavCVE-2016-9820NA
libavCVE-2016-9821NA
libavCVE-2016-9822NA
libavCVE-2016-9823NA
libavCVE-2016-9824NA
libavCVE-2016-9825NA
libavCVE-2016-9826NA
libdwarfCVE-2016-8679NA
libdwarfCVE-2016-8680NA
libdwarfCVE-2016-8681NA
libdwarfCVE-2016-9275NA
libdwarfCVE-2016-9276NA
libdwarfCVE-2016-9558NA
libmingCVE-2016-9264NA
libmingCVE-2016-9265NA
libmingCVE-2016-9266NA
libmingCVE-2016-9827NA
libmingCVE-2016-9828NA
libmingCVE-2016-9829NA
libmingCVE-2016-9831NA
libwmfCVE-2016-9011NA
PotraceCVE-2016-8685NA
PotraceCVE-2016-8686NA
PotraceCVE-2016-8694NA
PotraceCVE-2016-8695NA
PotraceCVE-2016-8696NA
PotraceCVE-2016-8697NA
PotraceCVE-2016-8698NA
PotraceCVE-2016-8699NA
PotraceCVE-2016-8700NA
PotraceCVE-2016-8701NA
PotraceCVE-2016-8702NA
PotraceCVE-2016-8703NA
MuPDFCVE-2016-8674NA
MuPDFCVE-2017-7264NA
PoDoFoCVE-2015-8981NA
PoDoFoCVE-2017-5852NA
PoDoFoCVE-2017-5853NA
PoDoFoCVE-2017-5854NA
PoDoFoCVE-2017-5855NA
PoDoFoCVE-2017-5886NA
GStreamerCVE-2016-10198NA
GStreamerCVE-2016-10199NA
GStreamerCVE-2017-5840NA
GStreamerCVE-2017-5844NA
GStreamerCVE-2017-5846NA
ZZIPlibCVE-2017-5974NA
ZZIPlibCVE-2017-5975NA
ZZIPlibCVE-2017-5976NA
ZZIPlibCVE-2017-5977NA
ZZIPlibCVE-2017-5978NA
ZZIPlibCVE-2017-5980NA
ZZIPlibCVE-2017-5981NA
glibcCVE-2015-8985NA
GDK-PixBufCVE-2017-6312NA
GDK-PixBufCVE-2017-6311NA
curlCVE-2015-3145NA
curlCVE-2015-3144NA
curlCVE-2017-7407NA
gnulibCVE-2017-7476NA
CairoCVE-2017-7475NA
audiofileCVE-2017-6829NA
audiofileCVE-2017-6830NA
audiofileCVE-2017-6831NA
audiofileCVE-2017-6832NA
audiofileCVE-2017-6833NA
audiofileCVE-2017-6834NA
audiofileCVE-2017-6835NA
audiofileCVE-2017-6836NA
audiofileCVE-2017-6837NA
audiofileCVE-2017-6838NA
audiofileCVE-2017-6839NA

Contact

All updates to the above list of CVE's are managed through any of three methods: github issues tracking, email contact (michael.rash_AT_gmail.com), or reaching me through Twitter (@michaelrash).