Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/AFLplusplus/AFLplusplus/llms.txt

Use this file to discover all available pages before exploring further.

The afl-fuzz command is the core fuzzing engine of AFL++. It performs coverage-guided fuzzing to automatically discover crashes and hangs in target programs.

Synopsis

afl-fuzz -i seeds_dir -o output_dir [options] -- /path/to/target [target_args]

Description

afl-fuzz uses genetic algorithms and coverage feedback to evolve test cases that explore different execution paths in the target program. It monitors program behavior to detect crashes, hangs, and interesting code paths.

Required Parameters

-i
path
required
Input directory containing seed test cases. Use -i - to resume a previous fuzzing session.
afl-fuzz -i seeds/ -o out/ -- ./target
-o
path
required
Output directory where fuzzer will store findings, crashes, and stats.
afl-fuzz -i seeds/ -o findings/ -- ./target @@

Execution Control

-t
number
Timeout for each run in milliseconds (default: auto-scaled, usually 1000ms). Add ’+’ suffix to auto-calculate with this value as maximum.
afl-fuzz -i in -o out -t 2000 -- ./slow_target
afl-fuzz -i in -o out -t 2000+ -- ./target  # Auto-calculate, max 2000ms
-m
number
Memory limit for child process in megabytes (default: none).
afl-fuzz -i in -o out -m 512 -- ./target
-f
path
Location where target reads input from (default: stdin). Use @@ in target arguments as placeholder.
afl-fuzz -i in -o out -f /tmp/input -- ./target /tmp/input
# Or use @@ placeholder:
afl-fuzz -i in -o out -- ./target @@
-Q
boolean
Use QEMU mode for fuzzing binary-only targets (Linux only).
afl-fuzz -i in -o out -Q -- ./binary_target
-O
boolean
Use FRIDA mode for fuzzing binary-only targets.
afl-fuzz -i in -o out -O -- ./binary_target
-U
boolean
Use Unicorn mode for fuzzing (Linux only).

Mutation Settings

-P
string
Set fix mutation strategy: explore (focus on coverage) or exploit (focus on crashes). Can also be a number of seconds without finds before switching to exploit mode.
afl-fuzz -i in -o out -P explore -- ./target
afl-fuzz -i in -o out -P 3600 -- ./target  # Switch after 1 hour
-p
string
Power schedule for seed selection. Options: explore (default), fast, exploit, seek, rare, mmopt, coe, lin, quad.
afl-fuzz -i in -o out -p fast -- ./target
-g
number
Set minimum length of generated fuzz input (default: 1).
afl-fuzz -i in -o out -g 10 -- ./target
-G
number
Set maximum length of generated fuzz input (default: 1048576 = 1MB).
afl-fuzz -i in -o out -G 4096 -- ./target
-L
number
Use MOpt(imize) mode with time limit in minutes. 0 = immediately, -1 = immediately with normal mutation.
afl-fuzz -i in -o out -L 0 -- ./target
-c
path
Enable CmpLog by specifying a binary compiled with CmpLog instrumentation. Use -c 0 if target has built-in CmpLog. Use -c - to disable.
# Separate CmpLog binary
afl-fuzz -i in -o out -c ./target.cmplog -- ./target

# Built-in CmpLog
afl-fuzz -i in -o out -c 0 -- ./target
-l
string
CmpLog configuration: 1=small files, 2=larger files (default), 3=all files, A=arithmetic solving, T=transformational solving, X=extreme transform, R=random colorization.
afl-fuzz -i in -o out -c 0 -l 2ATR -- ./target
-x
path
Fuzzer dictionary file (can be specified up to 4 times).
afl-fuzz -i in -o out -x dict.txt -x extra.txt -- ./target
-u
boolean
Enable testcase splicing mutation.
afl-fuzz -i in -o out -u -- ./target

Fuzzing Behavior

-n
boolean
Fuzz without instrumentation (dumb mode).
afl-fuzz -i in -o out -n -- ./uninstrumented_target
-Z
boolean
Sequential queue selection instead of weighted random.
afl-fuzz -i in -o out -Z -- ./target
-N
boolean
Do not unlink the fuzzing input file (useful for devices).
afl-fuzz -i in -o out -N -- ./target /dev/input

Parallel Fuzzing

-M
string
Distributed mode - main fuzzer instance. Sets deterministic mode and disables trimming.
afl-fuzz -i in -o sync -M main01 -- ./target
-S
string
Distributed mode - secondary fuzzer instance.
afl-fuzz -i in -o sync -S secondary01 -- ./target
-F
path
Sync to a foreign fuzzer queue directory (requires -M, can be specified up to 32 times).
afl-fuzz -i in -o sync -M main -F ../other_fuzzer/queue -- ./target

Test Settings

-s
number
Use a fixed seed for the RNG (for reproducibility).
afl-fuzz -i in -o out -s 12345 -- ./target
-V
number
Fuzz for a specified time in seconds then terminate.
afl-fuzz -i in -o out -V 3600 -- ./target  # Fuzz for 1 hour
-E
number
Fuzz for an approximate number of total executions then terminate.
afl-fuzz -i in -o out -E 1000000 -- ./target

Other Options

-T
string
Text banner to show on the screen.
afl-fuzz -i in -o out -T "Project X Fuzzing" -- ./target
-I
string
Execute this command/script when a new crash is found.
afl-fuzz -i in -o out -I ./notify.sh -- ./target
-C
boolean
Crash exploration mode (Peruvian Rabbit mode).
afl-fuzz -i crashes/ -o out -C -- ./target @@
-b
number
Bind fuzzing process to specific CPU core.
afl-fuzz -i in -o out -b 3 -- ./target
-e
string
File extension for the fuzz test input file.
afl-fuzz -i in -o out -e png -- ./target @@
-z
boolean
Skip the enhanced deterministic fuzzing stage.
afl-fuzz -i in -o out -z -- ./target

Examples

Basic Fuzzing

# Fuzz with file input
afl-fuzz -i seeds/ -o findings/ -- ./target @@

# Fuzz with stdin
afl-fuzz -i seeds/ -o findings/ -- ./target

CmpLog Mode

# Build target
afl-cc -o target target.c
AFL_LLVM_CMPLOG=1 afl-cc -o target.cmplog target.c

# Fuzz with CmpLog
afl-fuzz -i seeds/ -o out/ -c ./target.cmplog -- ./target @@

Parallel Fuzzing

# Terminal 1 - Main instance
afl-fuzz -i seeds/ -o sync/ -M fuzzer01 -- ./target @@

# Terminal 2 - Secondary instance
afl-fuzz -i seeds/ -o sync/ -S fuzzer02 -- ./target @@

# Terminal 3 - Another secondary
afl-fuzz -i seeds/ -o sync/ -S fuzzer03 -- ./target @@

Binary-Only Fuzzing (QEMU)

afl-fuzz -i seeds/ -o out/ -Q -- ./closed_source_binary @@

With Dictionary

afl-fuzz -i seeds/ -o out/ -x keywords.dict -- ./target @@

Resume Fuzzing

# Resume from previous session
afl-fuzz -i - -o out/ -- ./target @@

# Or with AFL_AUTORESUME
AFL_AUTORESUME=1 afl-fuzz -i seeds/ -o out/ -- ./target @@

Environment Variables

See the Environment Variables page for comprehensive list. Key variables:
  • AFL_AUTORESUME - Resume fuzzing automatically
  • AFL_FAST_CAL - Speed up calibration stage
  • AFL_IGNORE_PROBLEMS - Continue despite setup issues
  • AFL_NO_UI - Disable status screen
  • AFL_TMPDIR - Use ramdisk for temporary files
  • AFL_CUSTOM_MUTATOR_LIBRARY - Custom mutation library

Output Directory Structure

out/
├── fuzzer_stats          # Real-time statistics
├── plot_data             # Data for afl-plot
├── queue/                # Interesting test cases
│   ├── id:000000,*       # Seed inputs
│   └── id:000001,*       # Generated inputs
├── crashes/              # Crashing inputs
│   ├── id:000000,*       # First crash
│   └── README.txt        # Crash triage info
├── hangs/                # Hanging inputs  
└── .cur_input            # Currently tested input

Status Screen

The AFL++ status screen shows:
  • Overall results - Paths found, crashes, hangs
  • Cycle progress - Current fuzzing stage
  • Map coverage - Edge coverage statistics
  • Stage progress - Current mutation strategy
  • Findings in depth - New paths, crashes per time
  • Fuzzing strategy - Current power schedule
  • Path geometry - Corpus characteristics
  • CPU load - System resource usage

Tips

Seed Selection

Provide small, diverse seed files: 
# Good: small, valid inputs
ls -lh seeds/
-rw-r--r-- 1 user user  128 Dec 1 10:00 sample1.dat
-rw-r--r-- 1 user user  256 Dec 1 10:00 sample2.dat

# Bad: huge files
-rw-r--r-- 1 user user  10M Dec 1 10:00 huge.dat

Performance Tuning

# Use ramdisk for temporary files
mkdir /tmp/ramdisk
sudo mount -t tmpfs -o size=512M tmpfs /tmp/ramdisk
AFL_TMPDIR=/tmp/ramdisk afl-fuzz -i in -o out -- ./target

# System configuration
sudo afl-system-config

# Check CPU availability  
afl-gotcpu

Crash Triage

# Minimize crashing input
afl-tmin -i out/crashes/id:000000,* -o crash.min -- ./target @@

# Check if crash reproduces
./target crash.min

# Debug with GDB
gdb --args ./target crash.min

See Also