Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/AFLplusplus/AFLplusplus/llms.txt

Use this file to discover all available pages before exploring further.

AFL++ Fuzzing Toolkit

The most advanced fork of American Fuzzy Lop — more speed, better mutations, enhanced instrumentation, and comprehensive binary-only fuzzing support.

Get startedRead documentation
AFL++ Logo

Quick start

Get AFL++ running on your target in minutes

1

Install AFL++

Install via Docker for the fastest setup:
docker pull aflplusplus/aflplusplus
docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus
Or build from source for maximum performance:
sudo apt-get update
sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev
sudo apt-get install -y lld-18 llvm-18 llvm-18-dev clang-18
git clone https://github.com/AFLplusplus/AFLplusplus
cd AFLplusplus
make distrib
sudo make install
2

Instrument your target

Compile your program with AFL++ instrumentation:
CC=/path/to/afl-cc CXX=/path/to/afl-c++ ./configure --disable-shared
make clean all
This adds coverage tracking to find bugs faster.
3

Prepare test cases

Create a directory with valid input files:
mkdir seeds_dir
echo "valid input" > seeds_dir/seed1.txt
Start with small, valid inputs — AFL++ will mutate them to find crashes.
4

Start fuzzing

Launch the fuzzer:
afl-fuzz -i seeds_dir -o output_dir -- /path/to/program @@
Crashes appear in output_dir/crashes/. You can replay them:
cat output_dir/crashes/id:000000,* | /path/to/program

Why AFL++?

AFL++ combines cutting-edge research from the fuzzing community into one powerful toolkit

Fast instrumentation

LLVM LTO mode with collision-free coverage and persistent mode for 10x+ speed

Binary-only fuzzing

QEMU, FRIDA, Unicorn, and Nyx modes — fuzz any binary on Linux, Windows, Android, and more

Smart mutations

CmpLog, LAF-Intel, MOpt, and AFLfast power schedules find bugs vanilla AFL misses

Custom mutators

Extend AFL++ with C/C++, Python, or Rust mutators for structure-aware fuzzing

Parallel fuzzing

Scale to hundreds of cores with intelligent corpus synchronization

Cross-platform

Linux, BSD, macOS, Android — instrument source or fuzz closed-source binaries

Explore by topic

Jump into the documentation for your use case

Fuzz source code

Instrument C/C++ targets with LLVM or GCC for maximum coverage and performance

Read guide →

Fuzz binaries without source

Use QEMU, FRIDA, or Unicorn mode to fuzz closed-source targets on any platform

Read guide →

Choose instrumentation mode

Compare LLVM, LTO, GCC plugin, persistent mode, and CmpLog for your target

Compare modes →

Build custom mutators

Write structure-aware mutators in C/C++, Python, or Rust for complex input formats

Learn how →

Command reference

Complete reference for all AFL++ commands

afl-cc / afl-c++

Compiler wrappers for instrumenting source code

afl-fuzz

Main fuzzing engine with parallel mode support

afl-cmin

Minimize corpus size while preserving coverage

afl-tmin

Minimize individual test cases

Ready to find bugs?

Follow our quickstart guide to instrument your first target and start fuzzing in under 5 minutes.

Get started now