What Bugs Can You Find With Fuzzing?

August 12 2021 | 5 min

Modern fuzz testing is one of the most effective methods to find bugs and vulnerabilities in software. It is so effective because it runs the application with dynamic inputs to provoke unexpected or erroneous behavior. Modern fuzzing engines can also retrieve feedback from previous inputs to generate new and more advanced fuzzing queries. They are optimized to improve your code coverage and detect all types of bug classes.

Since 2018, Code intelligence provides a platform for automated fuzz testing. Working closely together with industry and academia, the engineers at Code Intelligence were able to extend the reach of modern fuzz testing to a variety of different use cases. In this article, you will find an overview of some of the bug classes that the CI team found over the past years.*

* Please note that for confidential reasons, not all findings are included in this blog. If you are interested in a specific bug class, please contact our experts.

List of bugs found with fuzzing in C/C++

List of bugs and CWEs that CI Fuzz found in C/C++ software (click to enlarge)

What Bugs Can you Find With Fuzzing in C/C++?

Memory Buffer Errors

  • Buffer Overflow [CWE 119]
  • Incorrect Calculation of Buffer Size [CWE-131]
  • Free of Memory not on the Heap [CWE-590]
  • Integer Overflow to Buffer Overflow [CWE-680]
  • Access of Memory Location Before Start of Buffer [CWE-786]
  • Improper Access Control Applied to Mirrored or Aliased Memory Regions [CWE-1257]
  • Improper Handling of Overlap Between Protected Memory Ranges [CWE-1260]
  • Double-Free [CWE-415]
  • Out-of-bounds Read [CWE-125]
  • Out-of-bounds Write [CWE-787]
  • Dangling pointer [CWE-416]

Data Validation Issues

  • Out-of-bounds array index [CWE-129]
  • Object Type Confusion [CWE-843]
  • Improper Input Validation [CWE-20]

Pointer Issues

  • Return of Pointer Value Outside of Expected Range [CWE-466]
  • NULL Pointer Dereference [CWE-476]
  • Assignment of a Fixed Address to a Pointer [ CWE-587]
  • Attempt to Access Child of a Non-structure Pointer [CWE-588]
  • Untrusted pointer offset [CWE-823]

Numeric Errors

  • Integer Overflow or Wraparound [CWE-190]
  • Off-by-five [CWE-193]
  • Numeric Range Comparison Without Minimum Check [CWE-839]

Concurrency Issues

  • Signal Handler Race Condition [CWE-364]
  • Race Condition (Concurrent Execution using Shared Resource with Improper Synchronization)  [CWE-362]
  • Race Condition within a Thread [CWE-366]
  • Time Of Check To Time Of Use [CWE-367]
  • Race Condition During Access to Alternate Channel [ CWE-421]
  • Context Switching Race Condition [CWE-368]
  • Race Condition for Write-Once Attributes [CWE-1223]
  • Improper Synchronization [CWE-662]

Bad Coding Practices

  • Return of Stack Variable Address [CWE-562]
  • Reliance on Machine-Dependent Data Representation [CWE-1102]
  • Use of Platform-Dependent Third Party Components [CWE-1103]


Info Box: Fuzzing With Sanitizers

Some bugs can not be detected by fuzzing alone. To trigger these more complex vulnerabilities, you will have to use additional sanitizers. For example, ThreadSanitizer for race conditions, or AddressSanitizer for memory buffer errors. These sanitizers are software libraries that you compile into your code to make your program crash more often.  The CI Fuzz testing platform can help you to set up and configure those sanitizers, in order to improve your code coverage. Click here to learn more about sanitizers

What Bugs Can you Find With Fuzzing in Java?

Fuzz testing is also an effective approach for finding security vulnerabilities in memory-safe languages. With our fuzzing engine for Java, we regularly uncover all kinds of bugs in JVM-based customer projects. Here is a list of some typical bugs we find in Java applications:

Data Validation Errors

Logic Issues

  • Logic issue: bypass security features [CWE-840]

Audit/Logging Errors

Cookie Issues

  • Sensitive Cookie with Improper SameSite Attribute [CWE-1275]
  • Sensitive Cookie Without 'HttpOnly' Flag [CWE-1004]
  • Sensitive Cookie in HTTPS Session Without 'Secure' Attribute [CWE-614]

Other Issues

  • Denial of Service (DoS) [OWASP]
  • Infinite Loop [CWE-835]
  • Security Misconfiguration [A6:OWASP]
  • Insecure Deserialization [A8:OWASP]
  • Using Components with Known Vulnerabilities [A9:OWASP]
  • Uncaught Exceptions [CWE-248]

    Download CI Fuzz Bug Report

Although our fuzzing engine already uncovers a large variety of different bug classes, we are constantly improving and fine-tuning our platform, to make security testing more usable and accessible for everyone. For an in-depth look at the tech that Code Intelligence offers, you can check out our product tour or download one of our sample bug reports.

CI Fuzz bug report [PDF]

CI Fuzz bug report [PDF]

Recent Posts

One Year of Fuzzing and Fixing Suricata

Autofuzz: Fuzzing Without Writing Fuzz Targets or Harnesses

Fuzzing 101 – The Basics (FAQ)

19 Bugs in Jsoup Found With Jazzer

Share Article

Subscribe to updates