Warning: Please make sure you are aware of the scope and limitations of this data. An "OK" does not automatically mean that a software is secure.

Core software

OKaclOne day of afl/asan fuzzing turned up nothing.
OKattrOne day of afl/asan fuzzing (2.4.47) turned up nothing
WIPbinutilsMultiple issues found in executable parsers by various people, upstream is actively working on fixing them. Has different independent exec parsers (libbfd, readelf). bug #17512 bug #17531
OKbzip2Received some fuzzing in the past. Requires checksum disabling [patch]
StalecpioOpen (likely RCE) bugs, last release quite old, unclear state [1]
WIPcracklib1 day of afl/asan fuzzing turned up nothing (2.9.6), however there's a yet unreleased buffer overflow in the parsing of long passwords [1].
Staledc/bcIssues reported in November 2014, no release for many years, but still active developers.
OKdiffutilsLong afl-fuzzing turned up nothing
OKexpatSeems robust with preliminary fuzzing.
OKfile/libmagicMultiple issues were fixed in 5.21, e.g. [1], more issues found, now fixed in 5.22 [2] [3]
OKfreetypePreliminary afl/asan fuzzing turned up nothing. It only ships very limited command line tools, not really fuzzing-friendly.
OKgettextLatest release (0.19.4) fixes several known issues, preliminary afl/asan fuzzing turned up no new issues [1]
WIPgiflibgiflib itself is pretty solid, however the tools shipped with it already expose memory bugs without any fuzzed input. ([1] [2] [3]) [4]) [5] [6]
OKgnupgVarious issues were found through fuzzing, latest versions 2.1.2, 2.0.27 and 1.4.19 should fix all of them TFPA 001/2014 TFPA 001/2015
OKgzipHas likely seen many reviews over the years. Fuzzing requires disabling CRC checks.
OKImageMagickIn the past it was pretty easy to fuzz bugs in imagemagick, but after some review by Google most of them have been fixed and these days there are at least no more trivial to find fuzzing issues. GraphicsMagick is a fork of ImageMagick, therefore issues often apply to both.
StaleInfo-ZIPMultiple issues not fixed in a release [1] [2]
OKlessNo known issues, has been fuzzed in the past, communication with developers was not optimal, see [CVE-2014-9488]
OKlibidnWith libidn 1.33 all known issues have been fixed, CVE-2016-6261, CVE-2016-6262, CVE-2016-6263,
WIPlibjpeg-turboUnfixed issues found by afl fuzzing not yet public [1] [2] [3]
OKlibpngExtensive fuzzing didn't turn up any issues, seems robust. Requires checksum disabling [patch]
OKlibxml2Version 2.9.3 fixed a large number of invalid memory access issues (10 CVEs). (There is one issue left, but it's only a test suite issue, thus not affecting library use.)
OKman-dbPreliminary fuzzing done
OKmore (util-linux)Initial afl/asan fuzzing turned up nothing. Probably not many code paths that could expose memory access bugs.
OKopensshMinor issues in key and config file parser have been fixed in 6.8 [1] [2]
OKopensslWhile OpenSSL has seen some severe security issues in the past there are usually no trivial to fuzz bugs in it.
WIPpatchPatch 2.7.2 fixes a couple of issues [1], more issues found and privately disclosed to devs
OKpcrePreliminary fuzzing with afl/asan turned up nothing, has likely seen fuzzing efforts in the past [1]
OKpopplerWith the release of 0.48.0 all known fuzzing-related bugs have been fixed. (older bugs: [1] [2] [3] [4] [5] [6] [7] [8], [9])
OKsed1 day of afl/asan fuzzing with scripts passed with parameter -f turned up nothing (version 4.3, 2017-01-05).
OKsqliteThere were intense fuzzing efforts both for the SQL input and the database file parser, upstream devs now have their own fuzzing efforts (all fixed in
OKtarSeems robust, preliminary afl/asan fuzzing turned up nothing.
OKxzPreliminary fuzzing turned up nothing.
OKzlib2 hours of afl-fuzzing turned up nothing, likely received lots of reviews in the past. Requires CRC-disabling [patch]

Misc software

OK7zPreliminary fuzzing turned up nothing, please note however that 7z supports very many file formats, only core ones (7z, zip) tested for now
StaleantiwordHasn't seen a release for a long time, known issues [1]
UnavailablearjLast release in 2005, known security issues [1]
WIPBerkeley DBHas no real upstream bugtracker which makes it unclear how to report bugs, debian Bugtracker lists quite old issues, reported some issues in public forum [1] [2]
UnavailablecatdocFuzzing immediately turns up multiple issues, no active development, many known issues [1]
OKClamAVUsed to be easy to fuzz, likely worth further fuzzing but the easy-to-find issues should be wiped out.
OKdjvulibre2 days of afl/asan fuzzing turned up nothing (version 2.5.27)
OKdosfstoolsseems robust with preliminary fuzzing
OKdpkgFuzzing DPKG discovered several issues, they were fixed in versions 1.17.26 and 1.16.17 Debian Security Advisory DSA-3407-1 Ubuntu Security Advisory USN-2820-1
WIPelftoolchainMultiple open issues [1]
OKelfutilsHas been fuzzed extensively, since version 0.162 all known issues should be fixed. (older issues: [1] [2] [3], [4])
OKenca1 day of afl/asan-fuzzing turned up nothing.
OKffmpegUsed to be bad, but was improved a lot in recent years [1]
WIPflacSeveral issues found in latest release, no update yet [1]
WIPgdk-pixbufAssert / DoS issue found [1]
StaleghostscriptUpstream bug tracker has fuzzing category which right now lists ~180 unfixed fuzzing-related bugs, most of them from 2013 [1]
WIPGIMPMemory access issues found and reported in import plugins fli tga
WIPGraphicsMagickFuzzing finds multiple issues, upstream usually fixes them within a short time after reports. Please note this is a fork of ImageMagick, therefore issues often apply to both.
WIPgraphvizKnown issues, not yet fixed in a release [1]
OKgroffPreliminary afl/asan-fuzzing turned up nothing
OKgumbo2 days of afl/asan fuzzing turned up nothing.
OKhttp-parserOne day of afl/asan fuzzing with the included parsertrace tool for both requests and responses revealed no issues (2016-06-17, version 2.6.2).
WIPicoutilsCrasher found with afl [1]
WIPiniparserOne bug reported [1] that got fixed, but no release with fix yet.
OKlcmsInitial afl/asan fuzzing (2 hours) turned up nothing.
WIPlibarchiveSeveral open issues [1] [2] [3] [4] [5]
OKlibexifLong afl-fuzzing turned up nothing
OKlibotrCommand line message parser resisted 10 hours of afl/asan fuzzing without crashes or hangs.
OKlibtasn14.4 fixes all known issues [1]
WIPlibtiffLarge number of issues reported and not yet fixed in a release [1] [2]
OKlibwebpProbably received lots of fuzzing (used in Chrome)
WIPlibwpdEndless loops found [1]
OKlibxsltInitial fuzzing with afl/asan turned up nothing
WIPlibyamlafl found issues [1]
OKlinksPreliminary afl/asan fuzzing turned up nothing.
OKlz4One day of afl/asan fuzzing (version r129, 2015-05-13) turned up nothing
OKlzip2 hours of afl and preliminary fuzzing with afl+asan turned up nothing.
OKlzolzo 2.09 fixes all known issues [1], 1 day of afl/asan fuzzing turned up nothing more
WIPmkvtoolnixOpen issues [1] [2]
OKmscompressOne day of afl/asan fuzzing msexpand turned up nothing.
OKmusepackOne day of afl/asan fuzzing turned up nothing (version 475, 2016-12-22).
WIPmuttafl found issues [1]
WIPnasm/ndisasmBoth nasm/ndisasm have unfixed crashers, upstream is working on them ([1] [2] [3]) [4] [5]
OKncompressInitial afl/asan fuzzing didn't turn up any issues.
WIPOpenJPEGIssues not public yet
OKpaxOne day of afl/asan fuzzing turned up nothing.
WIPperlSome issues found [1]
UnavailableprocmailOpen issues, no release for years [1] [2]
OKtaglibOne day of afl/asan fuzzing turned up nothing (2016-12-19, version 1.11).
WIPtcpdump/libpcapmultiple issues in pcap parsing [1] [2] [3]
OKtestdiskfuzzed one day with afl/asal with no results (version 7.0)
OKunrtfHad a number of issues, but with the release of 0.21.8 all known issues are fixed [1]
WIPvimDominique Pellé reported a large number of fuzzing-related bugs and also wrote a tutorial on how to fuzz VIM with afl
Stalevorbis-toolsVarious crashers on malformed input, no or limited upstream reaction [1] [2]
OKw3mPreliminary afl/asan fuzzing turned up nothing
WIPxmltoThe accompanied xmlif tool has several parser issues [1] [2] [3]

If you feel a categorization is unjustified or you want to add something drop me a mail.


Core software lists tools that are available on most Linux/BSD-systems and key libraries that are used by a large number of other software projects. Misc software lists other software.

Certain software projects don't fit at all. That includes software that does no file format parsing (USB/network/other input fuzzing is excluded for now) and some large projects like web browsers. In browsers usually many potential security / fuzzing issues are found all the time and they are fixed within a timely manner. However they usually don't suffer from "easy to fuzz" issues.

OKThis software has received at least some preliminary fuzzing and either no issues turned up or all issues are fixed in the latest release.
WIPWork in progress. Fuzzing has revealed issues, the issues are either quite new or the developers are actively working on fixing them.
StaleThere are known memory access errors that either have no fix or the fix is not released. There is no visible activity in fixing the issues for at least a month.
UnavailableFuzzing has revealed issues and there are no active developers of this software.
UnknownStatus unknown, fuzzing on these may yield promising results.

Please note that for now "OK" is the best a software can get - and that may not be very good. It only tells for now that some preliminary fuzzing happened. One or multiple "Good" categories may be added later with standardized notions what good fuzzing is, but that's nontrivial (probably afl/asan fuzzing with all supported input formats and a defined amount of minimum-time). Of course you're encouraged to prove this list wrong and find issues in the software of the "OK" category.

Software in the orange and red area should not be considered suitable for untrusted inputs.


Please be aware that this data has certain limitations and is not suitable as an overall assesment of software security.

The Fuzzing Project is run by Hanno Böck