What Changed Since the Last Campaign
Our previous update, in February, reported 62 vulnerabilities across 26 projects. Most of those came from auditing existing OSS-Fuzz harnesses on the general open-source ecosystem. The work done since has been deliberately different. The focus shifted to generating new harnesses for projects that did not have good fuzz coverage to begin with, and the target list moved one tier deeper into security-critical software.
All of that work runs on a single backbone we call the Four Principles. They are four source-level checks that every harness has to pass before we trust the crashes it produces. In short: (1) the harness code itself must be bug-free, (2) it must call library APIs in the order the library expects, (3) it should drive the library through its public attack surface (so any crash we find is reachable in production), and (4) the entry point it picks has to actually sit on a meaningful attack surface, not on a no-op helper. The first methodology post below introduces all four in detail.
A few additional numbers worth highlighting that the hero stats above do not show.
Three Milestones, Three Methodology Posts
The pivot above came out of three connected milestones. First we needed a checkable definition of what makes a harness "good". Then we used that definition to generate new harnesses and find new bugs, with Chromium as the showcase target. Finally we put each candidate crash through a verify pipeline so the FP rate stays low. Each milestone gets its own post; the cards below link straight through.
Define what a "good" harness is
Harnesses Have Bugs Too: A Four-Principles Audit of 586 OSS-Fuzz Harnesses. The Four Principles checklist (P1 Logic Correctness, P2 API Protocol Compliance, P3 Security Boundary Respect, P4 Entry Point Adequacy), validated by auditing 586 production OSS-Fuzz harnesses. 53 fix PRs filed, 45 verified or merged, 14 false positives caught at audit, two upstream bugs unmasked (including a 25-year-old OpenSSL DES over-read).
Generate good harnesses on Chromium, find new bugs
Two Weeks Inside Chromium: 472 Harnesses, 30 Vulnerabilities Filed Upstream. The four principles flipped into a generation criterion (P4 → P1) and combined with Logic Group as a semantic-unit slicer. 472 harnesses across 58 Chromium-stack libraries (libvpx, libwebp, libaom, openscreen, dawn, pdfium, sqlite, v8 …). 30 vulnerabilities filed upstream. 52 internal crashes caught and dropped before any reached a maintainer.
Verify each crash before we file it
How We Verify Fuzzer Crashes: Four Principles, Two Reproductions, and Security Proxies. The verify pipeline that keeps live FP under 5%. Three gates: re-run the four principles on the specific crash trace, two independent reproductions (harness replay plus public-API repro), and per-library Security Proxies that encode the maintainer's documented threat model.
Severity of the New 41
Roughly half of the new findings are High severity. Memory-corruption bugs (heap overflow, UAF, OOB) dominate, with denial-of-service and unbounded-allocation issues making up most of the rest. No Critical for this batch, two Low.
What We Found: Bug Classes
The new wave skews toward memory-safety classes typical of modern multimedia, parsing, and serialization code. Heap buffer overflow leads, followed by denial-of-service in JSON and HTTP/3 parsers, and a cluster of allocation-related bugs in deserializers.
Where the New Findings Landed
Almost all of the 24 new projects sit in the Chromium dependency graph or in security-critical libraries with wide deployment footprints. Below are the ones with multiple findings or a notable confirmed/fixed first-time hit. Single-finding new projects appear in the table after.
Chromium & Google Vendor Stack
Multiple confirmed- NULL Pointer Deref in
WebPMuxAssemble(libwebp) — webmproject#497882857 (fixed) - Integer Overflow / Assertion in VP9 encoder — webmproject#497896136 (confirmed)
- Integer Overflow in Y4M Buffer Size Calc — webmproject#501135996
- OOB Read in
SharpYuvConvert— webmproject#501147575 - Uncontrolled OOM in PDFium XObject — chromium#497514412 (confirmed)
- Double-Free in FlatBuffers Parser — flatbuffers#9009 (confirmed)
- Heap Overflow in FlexBuffers ToString — flatbuffers#9008 (confirmed)
libaom (AV1)
3/3 confirmed- Heap Overflow in
av1_restore_layer_context— chromium#501657371 (fixed) - Assertion Failure in
aom_rb_read_literal— aomedia#502133197 (confirmed) - DoS via Infinite Recode Loop in SVC Encoder — chromium#505976409 (confirmed)
openscreen (Cast Streaming)
3/3 fixed- Pre-Auth DoS in ANSWER Parser (jsoncpp non-object find) — chromium#505902443
- Pre-Auth DoS in
ReceiverMessage::Parse— chromium#505902444 - Pre-Auth DoS in
SenderMessage::Parse— chromium#505947418 - All three landed in CL 7801091
tidy-html5
0/3 awaiting review- Memory Leak in
prvTidynewStack— tidy-html5#1177 - OOM via Unbounded Error Buffer Growth — tidy-html5#1176
- Use-After-Free in GDoc CleanNode — tidy-html5#1175
flatbuffers
2/2 confirmed- Heap Overflow in
flatbuffers::VerifyReflection Verifier — flatbuffers#9040 (confirmed) - Heap Overflow in FlexBuffers
toStringPost-Verification — flatbuffers#9041
libvpx
2/2 confirmed- Heap Overflow in VP9 Encoder midstream reconfig — webmproject#501696590 (confirmed)
- Unbounded Allocation in VP8 Decoder Error Concealment — webmproject#501696591
libvorbis
0/2 awaiting review- Division by Zero in Residue Decoding — vorbis#124
- Memory Leak in Header Parsing — vorbis#125
FreeRDP
1/1 fixed- Pre-Auth Memory Leak in NTLM AuthenticateMessage parser failure path — FreeRDP#12609
libavif
1/1 fixed- Heap Buffer Overflow via signed-int length sign-extension at the Android JNI direct-ByteBuffer entry points — libavif#3178
HarfBuzz
1/1 fixed- OOB write in fontations glyph-name callback when invoked with size==0 — harfbuzz#5947
nDPI
1/1 fixed- Unbounded sscanf in
ndpi_hex_decodeover a borrowed non-NUL-terminated buffer inndpi_decode_tls_blocks— nDPI#3163
OTS (Chrome's font sanitizer)
1/1 fixed- NULL deref in
ProcessGenericwithTABLE_ACTION_PASSTHRU— ots#309
SQLite
1/1 fixed- Heap-Use-After-Free in
sqlite3Fts5PoslistNext64via realloc-moved LookaheadReader (FTS5 path).
ICU
1/1 fixed- Use-After-Free / NULL deref in
TransliterationRuledestructor — ICU-23365 (fixed in ICU 79.1)
Additional New-Project Findings
Single-finding-per-project hits in this period.
| Project | Vulnerability | Severity | Status |
|---|---|---|---|
| Cap'n Proto | Stack Overflow in Text Codec Lexer | High | Submitted |
| crashpad | Unbounded Alloc in MemorySnapshotMinidump | Medium | Submitted |
| Dawn | Unbounded Alloc in BlobCache Stream | Medium | Submitted |
| JavaScriptCore | DFG StrengthReductionPhase incorrectly resets m_changed flag | Medium | Fixed |
| LevelDB | Unbounded Alloc in ReadBlock via Crafted SSTable Block Handle | High | Submitted |
| libheif | Heap Overflow in heif_image_crop | High | Submitted |
| libpng | Heap-Use-After-Free in png_zlib_inflate via stale next_in (pCAL) | Medium | Submitted (GHSA) |
| OpenCV | Heap Buffer Overflow in YAML parser parseKey() (empty key) | Low | Fixed |
| OpenSSL | Stack Buffer Over-Read in DES OFB/CFB64 (unchecked num) — 25 yrs latent | Low | Fixed |
| QUICHE | Pre-Auth DoS in HTTP/3 Frame Decoder via QUICHE_BUG | Medium | Submitted |
| RapidJSON | Assertion Failure in Regex Engine | High | Submitted |
| V8 | Bytecode Mismatch in V8 Interpreter (correctness bug) | Medium | Confirmed |
Timeline
Last Campaign Update
62 vulnerabilities reported across 26 projects. Most through OSS-Fuzz harness audits on general open-source software.
Pivot to Generation
Methodology designed and validated on existing harnesses. Two latent upstream library bugs surfaced when broken harnesses were repaired (the OpenSSL DES 25-year over-read and a tidy-html5 lexer leak).
Two-Week Chromium Run
472 harnesses generated across 58 Chrome-stack libraries. 30 vulnerabilities filed upstream, 16 already confirmed. Another 52 fuzzer crashes were caught and dropped by our own internal verification before any reached a maintainer.
Methodology Series Published
Three posts released today, plus this update. All-time numbers: 103 filed across 56 projects, 70 confirmed by maintainers, FP rate under 5%.
What Comes Next
The 33 still-in-flight submissions are being chased through the same Security Proxies. The 12 confirmed-but-not-yet-merged are waiting on upstream maintainer time. The next batch of harness generation widens the Chromium dependency graph (mojo IPC and Skia are next) and applies the same Four Principles framework to a few network-stack libraries beyond Chrome.
Explore the Methodology
The Four Principles framework, the Logic Group abstraction, and the Security Proxies are all open. Reuse encouraged.
— Ze Sheng · Team FuzzingBrain