FuzzAgent: Multi-Agent System for Evolutionary Library Fuzzing

TL;DR

FuzzAgent introduces a multi-agent evolutionary approach to library fuzzing, improving coverage and bug detection in C/C++ libraries by iteratively refining testing strategies based on runtime feedback.

Contribution

This work presents FuzzAgent, a novel multi-agent system that enhances library fuzzing through iterative, evidence-driven decision making, surpassing existing methods in coverage and bug discovery.

Findings

FuzzAgent achieves 45-92% higher branch coverage than baselines.

It identifies 102 genuine bugs, with 78 already fixed by maintainers.

The system operates fully automatically across 20 real-world libraries.

Abstract

Library fuzzing is essential for hardening the software supply chain, but adopting it at scale remains expensive. Practitioners still spend substantial effort on environment setup, struggle to generate harnesses that respect intricate API constraints, and lack reliable means to tell genuine library bugs from harness-induced crashes. Recent LLM-based systems automate parts of this pipeline, yet they typically operate as one-shot code generators that ignore runtime feedback, which limits both the depth of code they reach and the validity of the bugs they report. We argue that effective library fuzzing is iterative by nature: each campaign exposes new coverage bottlenecks and crashes, and the next campaign should evolve from these signals rather than restart from scratch. Building on this insight, we present FuzzAgent, a multi-agent system that turns library fuzzing into an evolutionary process, in which a team of specialized agents collaborates over the full fuzzing lifecycle and grounds every decision in concrete runtime evidence, so that the harness suite is successively refined toward deeper coverage and higher-fidelity crash analysis across rounds. We evaluate FuzzAgent on 20 real-world C/C++ libraries against four state-of-the-art baselines (OSS-Fuzz, OSS-Fuzz-Gen, PromptFuzz, and PromeFuzz). FuzzAgent completes the full fuzzing lifecycle for all 20 libraries without human intervention and reaches 179619 branches, exceeding OSS-Fuzz, PromptFuzz, PromeFuzz, and OSS-Fuzz-Gen by 45.1%, 73.2%, 92.1%, and 191.2%, respectively. FuzzAgent also identifies 102 genuine library bugs, 78 of which have already been acknowledged and fixed by upstream maintainers.