DEV.co
Open-Source Testing · AFLplusplus

AFLplusplus

AFL++ is a high-performance fuzzer for discovering software vulnerabilities through automated test generation. It extends the original AFL with faster instrumentation, better mutation strategies, and support for binary-only targets via QEMU and Unicorn emulation.

Source: GitHub — github.com/AFLplusplus/AFLplusplus
6.6k
GitHub stars
1.3k
Forks
C
Primary language
AGPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryAFLplusplus/AFLplusplus
OwnerAFLplusplus
Primary languageC
LicenseAGPL-3.0 — OSI-approved
Stars6.6k
Forks1.3k
Open issues31
Latest releasev5.02c (2026-06-29)
Last updated2026-07-08
Sourcehttps://github.com/AFLplusplus/AFLplusplus

What AFLplusplus is

AFL++ is a coverage-guided fuzzer written in C that instruments binaries at compile-time or runtime to track code coverage and guide input generation. It includes LLVM-based instrumentation, QEMU mode for binary-only fuzzing, collision-free coverage tracking, and advanced mutation operators (MOpt, redqueen, laf-intel).

Quickstart

Get the AFLplusplus source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/AFLplusplus/AFLplusplus.gitcd AFLplusplus# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Vulnerability discovery in open-source libraries

Ideal for fuzzing C/C++ libraries with source access. Use afl-cc to instrument, provide seed inputs, and let AFL++ generate crash-triggering test cases automatically.

Binary-only security testing

QEMU and Unicorn modes enable fuzzing of closed-source binaries, firmware, or libraries without source code. Useful for third-party software and legacy systems.

Continuous fuzzing in CI/CD pipelines

Distributed fuzzing across multiple cores/machines. Generate regression test suites from crash corpus. Docker images available for easy integration into automated security testing.

Implementation considerations

  • Compile target with afl-cc (wrapper around Clang/GCC) to enable instrumentation; requires modifying build system or using provided compiler flags.
  • Create valid seed inputs and optional dictionaries; seed quality directly impacts fuzzing efficiency and bug discovery rate.
  • Configure harness to accept fuzzer-generated input via stdin or file (using @@ placeholder); target must run to completion per input without hangs.
  • Allocate sufficient CPU cores and RAM; parallelization across multiple fuzzer instances is recommended for faster coverage growth.
  • Monitor output directory for crashes/hangs and triage findings; AFL++ identifies crashes but does not assess exploitability—manual security analysis required.

When to avoid it — and what to weigh

  • Internal/proprietary commercial tools required — AGPL-3.0 license requires source disclosure if used to distribute fuzzing tools or services. Proprietary commercial license is available but requires donation arrangement.
  • No expertise with low-level instrumentation — Effective fuzzing demands understanding of coverage-guided feedback, seed corpus design, and target harness construction. Steep learning curve for beginners; poor seed choice or harness will waste resources.
  • Embedded systems with minimal resources — AFL++ requires reasonable CPU cores and memory. QEMU mode has significant overhead. Not suitable for real-time systems or heavily constrained IoT devices.
  • Black-box network protocol fuzzing without customization — Requires protocol-specific dictionary files and harness engineering. Generic fuzzing of network services is less efficient than purpose-built protocol fuzzers without significant domain work.

License & commercial use

Licensed under AGPL-3.0-or-later with files also under Apache-2.0. Source disclosure required if AFL++ itself is distributed or offered as a service. Compiled fuzzing harnesses remain Apache-2.0 licensed. Commercial license available via donation arrangement per LICENSING.md.

AGPL-3.0 copyleft applies to AFL++ source code distribution and SaaS offerings. Internal use for security testing is permitted. Distributing AFL++-based fuzzing tools or services requires either open-sourcing modifications or obtaining a commercial license (contact maintainers for donation-based arrangement). Requires careful review of intended commercial model.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityNeeds review
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

AFL++ is a security tool for discovering vulnerabilities; security of the fuzzer process itself depends on QEMU/Unicorn code quality and system isolation. Fuzzing can trigger crashes and may consume significant system resources (CPU, memory, disk); run in sandboxed environments to prevent fuzzer crashes from affecting production systems. No claims made about AFL++ supply-chain security or source verification; community review is ongoing. Triage findings manually—AFL++ identifies crashes but does not assess severity.

Alternatives to consider

libFuzzer (LLVM)

Coverage-guided in-process fuzzer for C/C++; requires source code; lower overhead than AFL++ for pure source fuzzing but less flexible for binary-only or distributed scenarios. Permissive license (Apache-2.0).

honggfuzz

Coverage-guided fuzzer with QEMU support and feedback-driven mutation; similar use cases to AFL++. More permissive license (Apache-2.0) avoids AGPL complications. Slightly smaller community than AFL++.

Syzkaller

Specialized syscall fuzzer for kernel testing; excellent for OS and driver security. Not suitable for user-space library or application fuzzing. Apache-2.0 licensed.

Software development agency

Build on AFLplusplus with DEV.co software developers

Contact Devco to integrate AFL++ into your security testing pipeline, design effective fuzzing harnesses, and triage findings at scale.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

AFLplusplus FAQ

Can I use AFL++ to fuzz closed-source binaries?
Yes, via QEMU mode (afl-fuzz -Q) or Unicorn mode (afl-fuzz -U) for binary-only fuzzing. QEMU mode works on x86/ARM binaries; Unicorn mode works on various architectures without full system emulation overhead but is less mature.
What's the licensing requirement if I distribute AFL++-based security tools?
AGPL-3.0 requires source disclosure of any modifications or wrapper tools you distribute. Compiling a target with AFL++ instrumentation (the harness) is Apache-2.0 licensed. For proprietary deployment, obtain commercial license via maintainers' donation scheme.
How long does fuzzing typically take to find bugs?
Highly variable—depends on seed quality, target complexity, harness design, and CPU resources. Simple parsers may yield results in minutes; complex software can require hours/days/weeks. No guarantees. Allocate multiple cores and monitor coverage growth.
Do I need to modify my application source code for fuzzing?
You need a fuzzing harness (a small C/C++ wrapper) that calls your target function with fuzzer-supplied input. Recompile with afl-cc instead of your normal compiler. No modifications to core library code typically required, but build system integration is necessary.

Custom software development services

Need help beyond evaluating AFLplusplus? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source testing integrations — and maintain them long-term.

Ready to automate vulnerability discovery?

Contact Devco to integrate AFL++ into your security testing pipeline, design effective fuzzing harnesses, and triage findings at scale.