Skip to content
Choose a tag to compare

Version ++4.02c (release)

  • afl-cc:
    • important fix for the default pcguard mode when LLVM IR vector
      selects are produced, thanks to @juppytt for reporting!
  • gcc_plugin:
    • Adacore submitted CMPLOG support to the gcc_plugin! :-)
  • llvm_mode:
    • laf cmp splitting fixed for more comparison types
  • frida_mode:
    • now works on Android!
  • afl-fuzz:
    • change post_process hook to allow returning NULL and 0 length to
      tell afl-fuzz to skip this mutated input
Choose a tag to compare

Version ++4.01c (release)

  • fixed */ scripts to work outside of git
  • new custom_mutator: libafl with token fuzzing :)
  • afl-fuzz:
    • when you just want to compile once and set CMPLOG, then just
      set -c 0 to tell afl-fuzz that the fuzzing binary is also for
    • new commandline options -g/G to set min/max length of generated
      fuzz inputs
    • you can set the time for syncing to other fuzzer now with
    • reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow
      persistent mode and manual forkserver support if these are not
      in the target binary (e.g. are in a shared library)
    • add AFL_EARLY_FORKSERVER to install the forkserver as earliest as
      possible in the target (for afl-gcc-fast/afl-clang-fast/
    • "saved timeouts" was wrong information, timeouts are still thrown
      away by default even if they have new coverage (hangs are always
      kept), unless AFL_KEEP_TIMEOUTS are set
    • AFL never implemented auto token inserts (but user token inserts,
      user token overwrite and auto token overwrite), added now!
    • fixed a mutation type in havoc mode
    • Mopt fix to always select the correct algorithm
    • fix effector map calculation (deterministic mode)
    • fix custom mutator post_process functionality
    • document and auto-activate pizza mode on condition
  • afl-cc:
    • due a bug in lld of llvm 15 LTO instrumentation wont work atm :-(
    • converted all passed to use the new llvm pass manager for llvm 11+
    • AFL++ PCGUARD mode is not available for 10.0.1 anymore (11+ only)
    • trying to stay on top on all these #$&§!! changes in llvm 15 ...
  • frida_mode:
    • update to new frida release, handles now c++ throw/catch
  • unicorn_mode:
    • update unicorn engine, fix C example
  • utils:
    • removed optimin because it looses coverage due to a bug and is
      unmaintained :-(
Choose a tag to compare

Version ++4.00c (release)

  • complete documentation restructuring, made possible by Google Season
    of Docs :) thank you Jana!
  • we renamed several UI and fuzzer_stat entries to be more precise,
    e.g. "unique crashes" -> "saved crashes", "total paths" ->
    "corpus count", "current path" -> "current item".
    This might need changing custom scripting!
  • Nyx mode (full system emulation with snapshot capability) has been
    added - thanks to @schumilo and @eqv!
  • unicorn_mode:
    • Moved to unicorn2! by Ziqiao Kong (@lazymio)
    • Faster, more accurate emulation (newer QEMU base), risc-v support
    • removed indirections in rust callbacks
  • new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :)
    thanks to RICSecLab submitting!
  • if instrumented libaries are dlopen()'ed after the forkserver you
    will now see a crash. Before you would have colliding coverage.
    We changed this to force fixing a broken setup rather then allowing
    ineffective fuzzing.
    See docs/ how to fix such setups.
  • afl-fuzz:
    • cmplog binaries will need to be recompiled for this version
      (it is better!)
    • fix a regression introduced in 3.10 that resulted in less
      coverage being detected. thanks to Collin May for reporting!
    • ensure all spawned targets are killed on exit
    • added AFL_IGNORE_PROBLEMS, plus checks to identify and abort on
      incorrect LTO usage setups and enhanced the READMEs for better
      information on how to deal with instrumenting libraries
    • fix -n dumb mode (nobody should use this mode though)
    • fix stability issue with LTO and cmplog
    • better banner
    • more effective cmplog mode
    • more often update the UI when in input2stage mode
  • qemu_mode/unicorn_mode: fixed OOB write when using libcompcov,
    thanks to kotee4ko for reporting!
  • frida_mode:
    • better performance, bug fixes
    • David Carlier added Android support :)
  • afl-showmap, afl-tmin and afl-analyze:
    • honor persistent mode for more speed. thanks to dloffre-snl
      for reporting!
    • fix bug where targets are not killed on timeouts
    • moved hidden afl-showmap -A option to -H to be used for
  • Prevent accidentaly killing non-afl/fuzz services when aborting
    afl-showmap and other tools.
  • afl-cc:
    • detect overflow reads on initial input buffer for asan
    • new cmplog mode (incompatible with older afl++ versions)
    • support llvm IR select instrumentation for default PCGUARD and LTO
    • fix for shared linking on MacOS
    • better selective instrumentation AFL_LLVM_{ALLOW|DENY}LIST
      on filename matching (requires llvm 11 or newer)
    • fixed a potential crash in targets for LAF string handling
    • fixed a bad assert in LAF split switches
    • added AFL_USE_TSAN thread sanitizer support
    • llvm and LTO mode modified to work with new llvm 14-dev (again.)
    • fix for AFL_REAL_LD
    • more -z defs filtering
    • make -v without options work
  • added the very good grammar mutator "GramaTron" to the
  • added optimin, a faster and better corpus minimizer by
    Adrian Herrera. Thank you!
  • added afl-persistent-config script to set perform permanent system
    configuration settings for fuzzing, for Linux and Macos.
    thanks to jhertz!
  • added xml, curl & exotic string functions to llvm dictionary feature
  • fix AFL_PRELOAD issues on MacOS
  • removed utils/afl_frida because frida_mode/ is now so much better
  • added uninstall target to makefile (todo: update new readme!)
Choose a tag to compare

Version ++3.14c (release)

  • afl-fuzz:
    • fix -F when a '/' was part of the parameter
    • fixed a crash for cmplog for very slow inputs
    • fix for AFLfast schedule counting
    • removed implied -D determinstic from -M main
    • if the target becomes unavailable check out out/default/error.txt
      for an indicator why
    • AFL_CAL_FAST was a dead env, now does the same as AFL_FAST_CAL
    • reverse read the queue on resumes (more effective)
    • fix custom mutator trimming
  • afl-cc:
    • Update to COMPCOV/laf-intel that speeds up the instrumentation
      process a lot - thanks to Michael Rodler/f0rki for the PR!
    • Fix for failures for some sized string instrumentations
    • Fix to instrument global namespace functions in c++
    • Fix for llvm 13
    • support partial linking
    • do honor AFL_LLVM_{ALLOW/DENY}LIST for LTO autodictionary and DICT2FILE
    • We do support llvm versions from 3.8 to 5.0 again
  • frida_mode:
    • several fixes for cmplog
    • less coverage collision
    • feature parity of aarch64 with intel now (persistent, cmplog,
      in-memory testcases, asan)
  • afl-cmin and afl-showmap -i do now descend into subdirectories
    (like afl-fuzz does) - note that afl-cmin.bash does not!
  • afl_analyze:
    • fix timeout handling
    • add forkserver support for better performance
  • ensure afl-compiler-rt is built for gcc_module
  • always build aflpp_driver for libfuzzer harnesses
  • added AFL_NO_FORKSRV env variable support to
    afl-cmin, afl-tmin, and afl-showmap, by @jhertz
  • removed outdated documents, improved existing documentation
Choose a tag to compare

Version ++3.13c (release)

  • Note: plot_data switched to relative time from unix time in 3.10
  • frida_mode - new mode that uses frida to fuzz binary-only targets,
    it currently supports persistent mode and cmplog.
    thanks to @WorksButNotTested!
  • create a fuzzing dictionary with the help of CodeQL thanks to
    @Microsvuln! see utils/autodict_ql
  • afl-fuzz:
    • added patch by @realmadsci to support @@ as part of command line
      options, e.g. afl-fuzz ... -- ./target --infile=@@
    • add recording of previous fuzz attempts for persistent mode
      to allow replay of non-reproducable crashes, see
      AFL_PERSISTENT_RECORD in config.h and docs/envs.h
    • fixed a bug when trimming for stdin targets
    • cmplog -l: default cmplog level is now 2, better efficiency.
      level 3 now performs redqueen on everything. use with care.
    • better fuzzing strategy yield display for enabled options
    • ensure one fuzzer sync per cycle
    • fix afl_custom_queue_new_entry original file name when syncing
      from fuzzers
    • fixed a crash when more than one custom mutator was used together
      with afl_custom_post_process
    • on a crashing seed potentially the wrong input was disabled
    • added AFL_EXIT_ON_SEED_ISSUES env that will exit if a seed in
      -i dir crashes the target or results in a timeout. By default
      afl++ ignores these and uses them for splicing instead.
    • added AFL_EXIT_ON_TIME env that will make afl-fuzz exit fuzzing
      after no new paths have been found for n seconds
    • when AFL_FAST_CAL is set a variable path will now be calibrated
      8 times instead of originally 40. Long calibration is now 20.
    • added AFL_TRY_AFFINITY to try to bind to CPUs but don't error if
      it fails
  • afl-cc:
    • We do not support llvm versions prior 6.0 anymore
    • added thread safe counters to all modes (AFL_LLVM_THREADSAFE_INST),
      note that this disables NeverZero counters.
    • Fix for -pie compiled binaries with default afl-clang-fast PCGUARD
    • Leak Sanitizer (AFL_USE_LSAN) added by Joshua Rogers, thanks!
    • Removed InsTrim instrumentation as it is not as good as PCGUARD
    • Removed automatic linking with -lc++ for LTO mode
    • Fixed a crash in llvm dict2file when a strncmp length was -1
    • added --afl-noopt support
  • utils/aflpp_driver:
    • aflpp_qemu_driver_hook fixed to work with qemu_mode
    • aflpp_driver now compiled with -fPIC
  • unicornafl:
    • fix MIPS delay slot caching, thanks @JackGrence
    • fixed aarch64 exit address
    • execution no longer stops at address 0x0
  • updated afl-system-config to support Arch Linux weirdness and increase
    MacOS shared memory
  • updated the grammar custom mutator to the newest version
  • add -d (add dead fuzzer stats) to afl-whatsup
  • added AFL_PRINT_FILENAMES to afl-showmap/cmin to print the
    current filename
  • afl-showmap/cmin will now process queue items in alphabetical order
Choose a tag to compare

Version ++3.12c (release)

  • afl-fuzz:
    • added AFL_TARGET_ENV variable to pass extra env vars to the target
      (for things like LD_LIBRARY_PATH)
    • fix map detection, AFL_MAP_SIZE not needed anymore for most cases
    • fix counting favorites (just a display thing)
  • afl-cc:
    • fix cmplog rtn (rare crash and not being able to gather ptr data)
    • fix our own PCGUARD implementation to compile with llvm 10.0.1
    • link runtime not to shared libs
    • ensure shared libraries are properly built and instrumented
    • AFL_LLVM_INSTRUMENT_ALLOW/DENY were not implemented for LTO, added
    • show correct LLVM PCGUARD NATIVE mode when auto switching to it
      and keep fsanitize-coverage-*list=...
      Short mnemnonic NATIVE is now also accepted.
  • qemu_mode (thanks @realmadsci):
    • move AFL_PRELOAD and AFL_USE_QASAN logic inside afl-qemu-trace
  • unicorn_mode
    • accidently removed the subfolder from github, re-added
  • added DEFAULT_PERMISSION to config.h for all files created, default
    to 0600
Choose a tag to compare

Version ++3.11c (release)

  • afl-fuzz:
    • better auto detection of map size
    • fix sanitizer settings (bug since 3.10c)
    • fix an off-by-one overwrite in cmplog
    • add non-unicode variants from unicode-looking dictionary entries
    • Rust custom mutator API improvements
    • Imported crash stats painted yellow on resume (only new ones are red)
  • afl-cc:
    • added AFL_NOOPT that will just pass everything to the normal
      gcc/clang compiler without any changes - to pass weird configure
    • fixed a crash that can occur with ASAN + CMPLOG together plus
      better support for unicode (thanks to @stbergmann for reporting!)
    • fixed a crash in LAF transform for empty strings
    • handle erroneous setups in which multiple afl-compiler-rt are
      compiled into the target. This now also supports dlopen()
      instrumented libs loaded before the forkserver and even after the
      forkserver is started (then with collisions though)
    • the compiler rt was added also in object building (-c) which
      should have been fixed years ago but somewhere got lost :(
    • Renamed CTX to CALLER, added correct/real CTX implementation to
  • qemu_mode:
    • added AFL_QEMU_EXCLUDE_RANGES env by @realmadsci, thanks!
    • if no new/updated checkout is wanted, build with:
      NO_CHECKOUT=1 ./
    • we no longer perform a "git drop"
  • afl-cmin: support filenames with spaces
Choose a tag to compare

Version ++3.10c (release)

  • Mac OS ARM64 support
  • Android support fixed and updated by Joey Jiaojg - thanks!
  • New selective instrumentation option with _AFL_COVERAGE* commands
    to be placed in the source code.
    Check out instrumentation/
  • afl-fuzz
    • Making AFL_MAP_SIZE (mostly) obsolete - afl-fuzz now learns on
      start the target map size
    • upgraded cmplog/redqueen: solving for floating point, solving
      transformations (e.g. toupper, tolower, to/from hex, xor,
      arithmetics, etc.). This is costly hence new command line option
      -l that sets the intensity (values 1 to 3). Recommended is 2.
    • added AFL_CMPLOG_ONLY_NEW to not use cmplog on initial seeds
      from -i or resumes (these have most likely already been done)
    • fix crash for very, very fast targets+systems (thanks to mhlakhani
      for reporting)
    • on restarts (-i)/autoresume (AFL_AUTORESUME) the stats are now
      reloaded and used, thanks to Vimal Joseph for this patch!
    • changed the meaning of '+' of the '-t' option, it now means to
      auto-calculate the timeout with the value given being the max
      timeout. The original meaning of skipping timeouts instead of
      abort is now inherent to the -t option.
    • if deterministic mode is active (-D, or -M without -d) then
      we sync after every queue entry as this can take very long time
    • added minimum SYNC_TIME to include/config.h (30 minutes default)
    • better detection if a target needs a large shared map
    • fix for -Z
    • fixed a few crashes
    • switched to an even faster RNG
    • added hghwng's patch for faster trace map analysis
    • printing suggestions for mistyped AFL_ env variables
    • added Rust bindings for custom mutators (thanks @julihoh)
  • afl-cc
    • allow instrumenting LLVMFuzzerTestOneInput
    • fixed endless loop for allow/blocklist lines starting with a
      comment (thanks to Zherya for reporting)
    • cmplog/redqueen now also tracks floating point, _ExtInt() + 128bit
    • cmplog/redqueen can now process basic libc++ and libstdc++
      std::string comparisons (no position or length type variants)
    • added support for __afl_coverage_interesting() for LTO and our
      own PCGUARD (llvm 10.0.1+), read more about this function and
      selective coverage in instrumentation/
    • added AFL_LLVM_INSTRUMENT option NATIVE for native clang pc-guard
      support (less performant than our own), GCC for old afl-gcc and
      CLANG for old afl-clang
    • fixed a potential crash in the LAF feature
    • workaround for llvm bitcast lto bug
    • workaround for llvm 13
  • qemuafl
    • QASan (address sanitizer for Qemu) ported to qemuafl!
      See qemu_mode/libqasan/
    • solved some persistent mode bugs (thanks Dil4rd)
    • solved an issue when dumping the memory maps (thanks wizche)
    • Android support for QASan
  • unicornafl
    • Substantial speed gains in python bindings for certain use cases
    • Improved rust bindings
    • Added a new example harness to compare python, c and rust bindings
  • afl-cmin and afl-showmap now support the -f option
  • afl_plot now also generates a graph on the discovered edges
  • changed default: no memory limit for afl-cmin and afl-cmin.bash
  • warn on any _AFL and __AFL env vars.
  • set AFL_IGNORE_UNKNOWN_ENVS to not warn on unknown AFL_... env vars
  • added dummy Makefile to instrumentation/
  • Updated utils/afl_frida to be 5% faster, 7% on x86_x64
  • Added AFL_KILL_SIGNAL env variable (thanks @v-p-b)
  • @Edznux added a nice documentation on how to use rpc.statsd with
    afl++ in docs/, thanks!
Choose a tag to compare

Version ++3.00c (release)

  • llvm_mode/ and gcc_plugin/ moved to instrumentation/
  • examples/ renamed to utils/
  • moved libdislocator, libtokencap and qdbi_mode to utils/
  • all compilers combined to afl-cc which emulates the previous ones
  • afl-llvm/gcc-rt.o merged into afl-compiler-rt.o
  • afl-fuzz
    • not specifying -M or -S will now auto-set "-S default"
    • deterministic fuzzing is now disabled by default and can be enabled with
      -D. It is still enabled by default for -M.
    • a new seed selection was implemented that uses weighted randoms based on
      a schedule performance score, which is much better that the previous
      walk the whole queue approach. Select the old mode with -Z (auto enabled
      with -M)
    • Marcel Boehme submitted a patch that improves all AFFast schedules :)
    • the default schedule is now FAST
    • memory limits are now disabled by default, set them with -m if required
    • rpc.statsd support, for stats and charts, by Edznux, thanks a lot!
    • reading testcases from -i now descends into subdirectories
    • allow the -x command line option up to 4 times
    • loaded extras now have a duplication protection
    • If test cases are too large we do a partial read on the maximum
      supported size
    • longer seeds with the same trace information will now be ignored
      for fuzzing but still be used for splicing
    • crashing seeds are now not prohibiting a run anymore but are
      skipped - they are used for splicing, though
    • update MOpt for expanded havoc modes
    • setting the env var AFL_NO_AUTODICT will not load an LTO autodictionary
    • added NO_SPLICING compile option and makefile define
    • added INTROSPECTION make target that writes all mutations to
    • print special compile time options used in help output
    • when using -c cmplog, one of the childs was not killed, fixed
    • somewhere we broke -n dumb fuzzing, fixed
    • added afl_custom_describe to the custom mutator API to allow for easy
      mutation reproduction on crashing inputs
  • instrumentation
    • We received an enhanced gcc_plugin module from AdaCore, thank you
      very much!!
    • not overriding -Ox or -fno-unroll-loops anymore
    • we now have our own trace-pc-guard implementation. It is the same as
      -fsanitize-coverage=trace-pc-guard from llvm 12, but: it is a) inline
      and b) works from llvm 10.0.1 + onwards :)
    • new llvm pass: dict2file via AFL_LLVM_DICT2FILE, create afl-fuzz
      -x dictionary of string comparisons found during compilation
    • LTO autodict now also collects interesting cmp comparisons,
      std::string compare + find + ==, bcmp
    • fix crash in dict2file for integers > 64 bit
  • custom mutators
    • added a new custom mutator: symcc ->
    • added a new custom mutator: libfuzzer that integrates libfuzzer mutations
    • Our afl++ Grammar-Mutator is now better integrated into custom_mutators/
    • added INTROSPECTION support for custom modules
    • python fuzz function was not optional, fixed
    • some python mutator speed improvements
  • afl-cmin/afl-cmin.bash now search first in PATH and last in AFL_PATH
  • unicornafl synced with upstream version 1.02 (fixes, better rust bindings)
  • added AFL_CRASH_EXITCODE env variable to treat a child exitcode as crash
Choose a tag to compare

Version ++2.68c (release)

  • added the GSoC excellent afl++ grammar mutator by Shengtuo to our
    custom_mutators/ (see custom_mutators/ - or get it here:
  • a few QOL changes for Apple and its outdated gmake
  • afl-fuzz:
    • fix for auto dictionary entries found during fuzzing to not throw out
      a -x dictionary
    • added total execs done to plot file
    • AFL_MAX_DET_EXTRAS env variable added to control the amount of
      deterministic dict entries without recompiling.
    • AFL_FORKSRV_INIT_TMOUT env variable added to control the time to wait
      for the forkserver to come up without the need to increase the overall
    • bugfix for cmplog that results in a heap overflow based on target data
      (thanks to the magma team for reporting!)
    • write fuzzing setup into out/fuzzer_setup (environment variables and
      command line)
  • custom mutators:
    • added afl_custom_fuzz_count/fuzz_count function to allow specifying
      the number of fuzz attempts for custom_fuzz
  • llvm_mode:
    • ported SanCov to LTO, and made it the default for LTO. better
      instrumentation locations
    • Further llvm 12 support (fast moving target like afl++ :-) )
    • deprecated LLVM SKIPSINGLEBLOCK env environment