diff --git a/lib/checkfunctions.cpp b/lib/checkfunctions.cpp
index 7ce557bfc92..5aa979b0bcf 100644
--- a/lib/checkfunctions.cpp
+++ b/lib/checkfunctions.cpp
@@ -766,7 +766,7 @@ void CheckFunctions::useStandardLibrary()
             continue;
 
         // 3. we expect idx incrementing by 1
-        const bool inc = stepToken->str() == "++" && stepToken->astOperand1()->varId() == idxVarId;
+        const bool inc = stepToken->str() == "++" && stepToken->astOperand1() && stepToken->astOperand1()->varId() == idxVarId;
         const bool plusOne = stepToken->isBinaryOp() && stepToken->str() == "+=" &&
                              stepToken->astOperand1()->varId() == idxVarId &&
                              stepToken->astOperand2()->str() == "1";
diff --git a/lib/checkother.cpp b/lib/checkother.cpp
index af2ca4ea432..35e514dc0f2 100644
--- a/lib/checkother.cpp
+++ b/lib/checkother.cpp
@@ -1938,7 +1938,7 @@ void CheckOther::checkIncompleteStatement()
             continue;
         if (isVoidStmt(tok))
             continue;
-        if (mTokenizer->isCPP() && tok->str() == "&" && !(tok->astOperand1()->valueType() && tok->astOperand1()->valueType()->isIntegral()))
+        if (mTokenizer->isCPP() && tok->str() == "&" && !(tok->astOperand1() && tok->astOperand1()->valueType() && tok->astOperand1()->valueType()->isIntegral()))
             // Possible archive
             continue;
         const bool inconclusive = tok->isConstOp();
diff --git a/lib/checkuninitvar.cpp b/lib/checkuninitvar.cpp
index 8458ffe4d5c..e4038adfbf9 100644
--- a/lib/checkuninitvar.cpp
+++ b/lib/checkuninitvar.cpp
@@ -1287,7 +1287,7 @@ const Token* CheckUninitVar::isVariableUsage(const Token *vartok, const Library&
     if (Token::Match((derefValue ? derefValue : vartok)->astParent(), "(|=") && astIsRhs(derefValue ? derefValue : vartok)) {
         const Token *rhstok = derefValue ? derefValue : vartok;
         const Token *lhstok = rhstok->astParent()->astOperand1();
-        const Variable *lhsvar = lhstok->variable();
+        const Variable *lhsvar = lhstok ? lhstok->variable() : nullptr;
         if (lhsvar && lhsvar->isReference() && lhsvar->nameToken() == lhstok)
             return nullptr;
     }
diff --git a/lib/programmemory.cpp b/lib/programmemory.cpp
index 6b082514f14..b5558233206 100644
--- a/lib/programmemory.cpp
+++ b/lib/programmemory.cpp
@@ -320,7 +320,7 @@ void programMemoryParseCondition(ProgramMemory& pm, const Token* tok, const Toke
             else
                 pm.setIntValue(tok, 0, then);
         }
-    } else if (tok->exprId() > 0) {
+    } else if (tok && tok->exprId() > 0) {
         if (endTok && findExpressionChanged(tok, tok->next(), endTok, settings, true))
             return;
         pm.setIntValue(tok, 0, then);
diff --git a/lib/tokenlist.cpp b/lib/tokenlist.cpp
index a0706491dac..b6e312625d9 100644
--- a/lib/tokenlist.cpp
+++ b/lib/tokenlist.cpp
@@ -960,7 +960,7 @@ static void compilePrecedence2(Token *&tok, AST_state& state)
                     Token* const curlyBracket = squareBracket->link()->next();
                     squareBracket->astOperand1(curlyBracket);
                     state.op.push(squareBracket);
-                    tok = curlyBracket->link()->next();
+                    tok = curlyBracket->link() ? curlyBracket->link()->next() : nullptr;
                     continue;
                 }
             }
diff --git a/test/cli/fuzz-crash/crash-26edfe9761d3b681c841dfe80398847dee332f83 b/test/cli/fuzz-crash/crash-26edfe9761d3b681c841dfe80398847dee332f83
new file mode 100644
index 00000000000..37965deed0b
Binary files /dev/null and b/test/cli/fuzz-crash/crash-26edfe9761d3b681c841dfe80398847dee332f83 differ
diff --git a/test/cli/fuzz-crash/crash-3ea64296c8518edb538e0047c3eba0792d5deeba b/test/cli/fuzz-crash/crash-3ea64296c8518edb538e0047c3eba0792d5deeba
new file mode 100644
index 00000000000..f096de3bf78
Binary files /dev/null and b/test/cli/fuzz-crash/crash-3ea64296c8518edb538e0047c3eba0792d5deeba differ
diff --git a/test/cli/fuzz-crash/crash-7ead2ccf9be8b03b2d9c8c82891f58081390a560 b/test/cli/fuzz-crash/crash-7ead2ccf9be8b03b2d9c8c82891f58081390a560
new file mode 100644
index 00000000000..80a938891ac
Binary files /dev/null and b/test/cli/fuzz-crash/crash-7ead2ccf9be8b03b2d9c8c82891f58081390a560 differ
diff --git a/test/cli/fuzz-crash/crash-9ef938bba7d752386e24f2438c73cec66f6b972b b/test/cli/fuzz-crash/crash-9ef938bba7d752386e24f2438c73cec66f6b972b
new file mode 100644
index 00000000000..cf4921c19c7
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-9ef938bba7d752386e24f2438c73cec66f6b972b
@@ -0,0 +1,12 @@
+#include <?ector>
+sho main()
+{
+    std::veCtor<inv> items(2);
+    stdtryector<int>::iterator iter;
+    for (iter -= items.begin(); i&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&ter != items.end();) {
+        if (*iter == 2) {
+            iter = items.erase//(iter);
+        } else {
+             }
+    }
+}
diff --git a/test/cli/fuzz-crash/crash-e4a26f2d7d0a73836bf086f54e48204d8914b95a b/test/cli/fuzz-crash/crash-e4a26f2d7d0a73836bf086f54e48204d8914b95a
new file mode 100644
index 00000000000..89b9bf0f48b
Binary files /dev/null and b/test/cli/fuzz-crash/crash-e4a26f2d7d0a73836bf086f54e48204d8914b95a differ
diff --git a/test/cli/fuzz_test.py b/test/cli/fuzz_test.py
new file mode 100644
index 00000000000..91f1dc84a9f
--- /dev/null
+++ b/test/cli/fuzz_test.py
@@ -0,0 +1,16 @@
+import os
+from testutils import cppcheck
+
+__script_dir = os.path.dirname(os.path.abspath(__file__))
+
+
+def test_fuzz_crash():
+    failures = {}
+
+    fuzz_crash_dir = os.path.join(__script_dir, 'fuzz-crash')
+    for f in os.listdir(fuzz_crash_dir):
+        ret, stdout, _ = cppcheck(['-q', '--enable=all', '--inconclusive', f], cwd=fuzz_crash_dir)
+        if ret != 0:
+            failures[f] = stdout
+
+    assert failures == {}