AFLplusplus
AFL++ is a high-performance fuzzer for discovering software vulnerabilities through automated test generation. It extends the original AFL with faster instrumentation, better mutation strategies, and support for binary-only targets via QEMU and Unicorn emulation.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | AFLplusplus/AFLplusplus |
| Owner | AFLplusplus |
| Primary language | C |
| License | AGPL-3.0 — OSI-approved |
| Stars | 6.6k |
| Forks | 1.3k |
| Open issues | 31 |
| Latest release | v5.02c (2026-06-29) |
| Last updated | 2026-07-08 |
| Source | https://github.com/AFLplusplus/AFLplusplus |
What AFLplusplus is
AFL++ is a coverage-guided fuzzer written in C that instruments binaries at compile-time or runtime to track code coverage and guide input generation. It includes LLVM-based instrumentation, QEMU mode for binary-only fuzzing, collision-free coverage tracking, and advanced mutation operators (MOpt, redqueen, laf-intel).
Get the AFLplusplus source
Clone the repository and explore it locally.
git clone https://github.com/AFLplusplus/AFLplusplus.gitcd AFLplusplus# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Compile target with afl-cc (wrapper around Clang/GCC) to enable instrumentation; requires modifying build system or using provided compiler flags.
- Create valid seed inputs and optional dictionaries; seed quality directly impacts fuzzing efficiency and bug discovery rate.
- Configure harness to accept fuzzer-generated input via stdin or file (using @@ placeholder); target must run to completion per input without hangs.
- Allocate sufficient CPU cores and RAM; parallelization across multiple fuzzer instances is recommended for faster coverage growth.
- Monitor output directory for crashes/hangs and triage findings; AFL++ identifies crashes but does not assess exploitability—manual security analysis required.
When to avoid it — and what to weigh
- Internal/proprietary commercial tools required — AGPL-3.0 license requires source disclosure if used to distribute fuzzing tools or services. Proprietary commercial license is available but requires donation arrangement.
- No expertise with low-level instrumentation — Effective fuzzing demands understanding of coverage-guided feedback, seed corpus design, and target harness construction. Steep learning curve for beginners; poor seed choice or harness will waste resources.
- Embedded systems with minimal resources — AFL++ requires reasonable CPU cores and memory. QEMU mode has significant overhead. Not suitable for real-time systems or heavily constrained IoT devices.
- Black-box network protocol fuzzing without customization — Requires protocol-specific dictionary files and harness engineering. Generic fuzzing of network services is less efficient than purpose-built protocol fuzzers without significant domain work.
License & commercial use
Licensed under AGPL-3.0-or-later with files also under Apache-2.0. Source disclosure required if AFL++ itself is distributed or offered as a service. Compiled fuzzing harnesses remain Apache-2.0 licensed. Commercial license available via donation arrangement per LICENSING.md.
AGPL-3.0 copyleft applies to AFL++ source code distribution and SaaS offerings. Internal use for security testing is permitted. Distributing AFL++-based fuzzing tools or services requires either open-sourcing modifications or obtaining a commercial license (contact maintainers for donation-based arrangement). Requires careful review of intended commercial model.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Needs review |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
AFL++ is a security tool for discovering vulnerabilities; security of the fuzzer process itself depends on QEMU/Unicorn code quality and system isolation. Fuzzing can trigger crashes and may consume significant system resources (CPU, memory, disk); run in sandboxed environments to prevent fuzzer crashes from affecting production systems. No claims made about AFL++ supply-chain security or source verification; community review is ongoing. Triage findings manually—AFL++ identifies crashes but does not assess severity.
Alternatives to consider
libFuzzer (LLVM)
Coverage-guided in-process fuzzer for C/C++; requires source code; lower overhead than AFL++ for pure source fuzzing but less flexible for binary-only or distributed scenarios. Permissive license (Apache-2.0).
honggfuzz
Coverage-guided fuzzer with QEMU support and feedback-driven mutation; similar use cases to AFL++. More permissive license (Apache-2.0) avoids AGPL complications. Slightly smaller community than AFL++.
Syzkaller
Specialized syscall fuzzer for kernel testing; excellent for OS and driver security. Not suitable for user-space library or application fuzzing. Apache-2.0 licensed.
Build on AFLplusplus with DEV.co software developers
Contact Devco to integrate AFL++ into your security testing pipeline, design effective fuzzing harnesses, and triage findings at scale.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
AFLplusplus FAQ
Can I use AFL++ to fuzz closed-source binaries?
What's the licensing requirement if I distribute AFL++-based security tools?
How long does fuzzing typically take to find bugs?
Do I need to modify my application source code for fuzzing?
Custom software development services
Need help beyond evaluating AFLplusplus? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source testing integrations — and maintain them long-term.
Ready to automate vulnerability discovery?
Contact Devco to integrate AFL++ into your security testing pipeline, design effective fuzzing harnesses, and triage findings at scale.