A showcase of bugs found via fuzz testing Rust codebases. It serves multiple purposes:
These bugs aren't nearly as serious as the memorysafety issues afl has discovered in C and C++ projects. That's because Rust is memorysafe by default! Have you fuzzed Rust code and found a bug? Please consider adding it to this table via a pull request!
Security issues are marked with a āļø in the "Security?" column. Denial of service, including panics and outofmemory, are not considered security issues.
Crate  Information  Fuzzer  Category  Security? 

bmfont  panic on unwrapping  libfuzzer  panic 

boa  invalid spans  honggfuzz  logic 

boa  Could not convert to BigInt  honggfuzz  logic 

boa  invalid utf16  honggfuzz  logic 

boa  assignment to number  honggfuzz  logic 

boa  division by zero  honggfuzz  arith 

brotlirs  #10  afl  panic 

brotlirs  #11  afl  panic 

brotlirs  #12  afl  panic 

brotlirs  #2  afl  panic 

brotlirs  #3  afl  panic 

brotlirs  #4  afl  panic 

brotlirs  #5  afl  oor 

brotlirs  #6  afl  arith 

brotlirs  #7  afl  oor 

brotlirs  #8  afl  arith 

brotlirs  #9  afl  arith 

bson  #116  libfuzzer  oom 

bson  multiple bugs, including arithmetic overflow  libfuzzer 
arith , other , unwrap


capnprotorust  Multiple bugs, including a memory safety bug  libfuzzer  āļø  
capnprotorust 
reddit, e72746c

libfuzzer  logic 

claxon  0fd8815  libfuzzer  unwrap 

claxon  21b1db4  libfuzzer  oor 

claxon  875c3b2  libfuzzer  logic 

claxon  c036944  libfuzzer  logic 

claxon  Massive slowdown on malformed input  libfuzzer  other 

claxon  Memory disclosure on malformed input  afl + libdiffuzz  uninit 
āļø 
comrak  #65  libfuzzer  oor 

cpp_demangle  Multiple panics  afl 
unwrap , arith


cranelift  #418  libfuzzer  logic 

cssparser  floatingpoint parsing imprecision  libfuzzer  logic 

cursive  grapheme boundary correctness  libfuzzer  utf8 

deflaters  #40  afl  logic 

deflaters  #42  afl  logic 

derparser  arithmetic overflow  libfuzzer  arith 

dhcp4r  #6  libfuzzer  oor 

encoding_rs  #44  afl  logic 

flac  #3  afl  oom 

flac  index out of bounds  libfuzzer  oor 

flif  #26  libfuzzer  oom 

fontdue  arithmetic overflow  libfuzzer  arith 

goblin  memory exhaustion  afl  oom 

h2  #260  honggfuzz  oor 

h2  #261  honggfuzz  panic 

h2  #262  honggfuzz  panic 

hjsonrust  invalid utf8  libfuzzer  utf8 

hjsonrust  subtract with overflow  libfuzzer  arith 

hjsonrust  removal index (is 0) should be < len  libfuzzer  logic 

hjsonrust  panics on ParseIntError  libfuzzer  arith 

httparse  #9  afl  arith 

httpdate  accepted dates like "May 35"  libfuzzer 
logic , arith


httpdate  panic on "no character boundary"  libfuzzer  utf8 

hyper  arithmetic overflow  libfuzzer  arith 

image  #1238  afl  oor 

image  #414  afl  logic 

image  #473  afl  arith 

image  #474  afl  unwrap 

image  #477  afl  oor 

image  #622  libfuzzer  oom 

image  #623  libfuzzer  oom 

image  #624  libfuzzer  oom 

image  #625  libfuzzer  oor 

image  #876  afl  oor 

image  #877  afl  arith 

image  #878  afl  oor 

image  Failed to break on an EOF  afl  oor 

inflate  arithmetic overflow  libfuzzer  arith 

ipfix  index out of bounds  libfuzzer  oor 

jpegdecoder  #38  afl  unwrap 

jpegdecoder  #50  afl  oom 

jpegdecoder  arithmetic overflow  libfuzzer  arith 

jsonrust  arithmetic overflow  afl  arith 

juniper  panic on "no character boundary"  libfuzzer  utf8 

just  #363  libfuzzer  logic 

lewton  enormous CPU and memory consumption on crafted input  afl  other 

lewton  index out of bounds  honggfuzz  oor 

lewton  index out of bounds  afl  oor 

lewton  index out of bounds  afl  oor 

lewton  index out of bounds  afl  oor 

lewton  infinite loop  afl  loop 

lewton  large CPU and memory consumption on crafted input  afl  other 

lewton  memory exhaustion due to integer underflow  afl 
arith , oom


lewton  memory exhaustion  afl  oom 

lexical  arithmetic overflow  libfuzzer  arith 

lexical  arithmetic overflow  libfuzzer  arith 

lexical  Outofbounds read in unsafe code  libfuzzer  oor 

libflate  258cf44  honggfuzz  oor 

libflate  6157daa  honggfuzz  panic 

libflate  dc77163  honggfuzz  unwrap 

libflate  Outofbounds read in unsafe code  afl  oor 

libpnet  arithmetic overflow  libfuzzer  arith 

libstd  overflow in range bounds calculation on Vec::drain  rutenspitz  arith 

lodepngrust  memory leak  libfuzzer  oom 

lzfear  index out of bounds  libfuzzer  oor 

lzfear  index out of bounds  libfuzzer  oor 

lzfear  memory exhaustion  libfuzzer  oom 

lz4_flex  memcpyparamoverlap  libfuzzer  other 

lz4_flex  heapbufferoverflow  libfuzzer  oor 
āļø 
lzmars  behavior mismatch with reference implementation  libfuzzer  logic 

minidump  #7  libfuzzer  panic 

miniz_oxide  Infinite loop exhausting memory  libfuzzer 
loop , oom


miniz_oxide  Infinite loop  libfuzzer  loop 

Molten  #41  libfuzzer  utf8 

Molten  #42  libfuzzer  oor 

mongo_driver  #55  libfuzzer  unwrap 

mp3metadata  Multiple panics  afl  oor 

mp4parserust  #2  afl  panic 

mp4parserust  #4  afl  panic 

mp4parserust  #5  afl  panic 

mp4parserust  #6  afl  panic 

msgpackrust  #151  afl  oom 

naga  slicing not on a character boundary  libfuzzer  utf8 

ncursesrs  string with \0  libfuzzer  unwrap 

nifti  out of bounds array slicing  libfuzzer  oor 

nom  arithmetic overflow  libfuzzer  arith 

npyrs  arithmetic overflow due to incorrect parameter declaration  libfuzzer 
arith , logic


ntp  panic caused by unwrap on invalid input  libfuzzer  unwrap 

num  panic on BigInt parsing 
libfuzzer  unwrap 

pancurses  string with \0  libfuzzer  unwrap 

parity  panic on BasicDecoder unchecked addition 
libfuzzer  arith 

pcapng  arithmetic overflow  libfuzzer  arith 

picky  #10  libfuzzer  unwrap 

pickyasn1der  #10  libfuzzer 
arith , oom , oor


png  crash on malformed input  afl  oom 

png  incorrect buffer size due to integer overflow  afl 
arith , oom


png  infinite loop on crafted input  libfuzzer  loop 

png  panic on malformed input  libfuzzer  oor 

png  panic on malformed input  libfuzzer  unwrap 

png  panic on malformed input  libfuzzer  oor 

png  panic on malformed input  afl 
unwrap , logic


prettytablers  subtract with overflow  libfuzzer  arith 

procmacro2  #54  afl  utf8 

procmacro2  #55  afl  so 

prost  Stack overflow  afl  so 
āļø 
pulldowncmark  arithmetic overflow  libfuzzer  arith 

pulldowncmark  Overflow ParseIntError  libfuzzer  unwrap 

pulldowncmark  Panics and infinite loop  libfuzzer 
loop , utf8 , oor


quickxml  arithmetic overflow  libfuzzer  arith 

quickxml  arithmetic overflow  libfuzzer  arith 

quickxml  index out of bounds  libfuzzer  oor 

rawloader  abort on huge memory allocation  afl  oom 

rav1e  Invalid assertion in rate control  libfuzzer  panic 

rav1e  LRF crash when encoding tiny frames  libfuzzer  panic 

rav1e  CDEF UV direction mismatch for 4:2:2  libfuzzer  logic 

rav1e  Safe wrappers forsys dav1d  libfuzzer  logic 

rav1e  Crash with 4 tiles for 1080p 4:2:2  libfuzzer  logic 

rav1e  Buffer underflow in CDEF pad_into_tmp16  libfuzzer  so 

rav1e  Tiling mismatch for 4:2:2  libfuzzer  logic 

rav1e  Encodedecode mismatch  libfuzzer  logic 

regex  #417  afl  utf8 

regex  #84  afl  unwrap 

regex  called Option::unwrap() on a None value  honggfuzz  unwrap 

regex  index out of bounds  honggfuzz  oor 

regex  regex parsing panics with blog post  libfuzzer  unwrap 

regex  Unexpected match branch  honggfuzz  logic 

rmpv  Unchecked vector preallocation  afl  oom 

roughenough  handle truncated message  afl  oor 

roughenough  incorrect range check fix  libfuzzer  logic 

roughenough  reject messages with zero tags  afl 
logic , oor


roughenough  reject short single tag messages  afl 
logic , oor


roughenough  return Error instead of panicking  afl  panic 

roughenough  validate tag offset not past end of message  afl  logic 

roughenough  validate value offset not pass end of message  afl  logic 

rustasn1  #32  afl  oom 

rustini  invalid codepoint  libfuzzer  utf8 

rustsnappy  #12  libfuzzer  oor 

rusturl  #108  afl  oor 

rustc  #24275  afl  other 

rustc  #50577  progfuzz  logic 

rustc  #50582  progfuzz  logic 

rustc  #50585  progfuzz  logic 

rustc  #50600  progfuzz  logic 

rustc  #50637  progfuzz  loop 

rustc  #51070  progfuzz  logic 

rustcdemangle  multiply with overflow  libfuzzer  arith 

rustcserialize  #109  afl  arith 

rustcserialize  #110  afl  panic 

semver  logic error  libfuzzer  logic 

SequoiaPGP  #514  libfuzzer  arith 

SequoiaPGP  #515  libfuzzer  utf8 

SequoiaPGP  #516  libfuzzer  oor 

SequoiaPGP  #516  libfuzzer  oor 

serde  #75  afl  arith 

serde  #77  afl  arith 

serde  #82  afl  so 

serdeyaml  #49  libfuzzer  so 

serdeyaml  #88  libfuzzer  logic 

simple_asn1  #9  libfuzzer 
arith , oor


sleepparser  #3  honggfuzz 
oor , utf8


smoltcp  arithmetic underflow  libfuzzer  arith 

smoltcp  index out of bounds  libfuzzer  oor 

smoltcp  index out of bounds  libfuzzer  oor 

smoltcp  index out of bounds  libfuzzer  oor 

smoltcp  index out of bounds  libfuzzer  oor 

smoltcp  index out of bounds  libfuzzer  oor 

smoltcp  index out of bounds  libfuzzer  oor 

smoltcp  index out of bounds  libfuzzer  oor 

snmpparser  panic on unwrapping  libfuzzer  unwrap 

sshkeys  #3  afl  oor 

sshkeys  panic on slice indexing  libfuzzer  oor 

sshparser  arithmetic overflow  libfuzzer  arith 

svgparser  arithmetic overflow, bound checking panic, incorrect result  libfuzzer 
arith , oor , logic


svgparser  endless loop  libfuzzer  loop 

swfparser  #23  libfuzzer  logic 

sxddocument  use after free  libfuzzer  uaf 
āļø 
syn  Unrecognized literal  libfuzzer  logic 

tarrs  #23  afl  arith 

tera  #396  libfuzzer 
arith , logic


tiff  index out of bounds  afl  oor 

tiff  infinite loop on malformed input  afl  loop 

tiff  memory exhaustion on malformed input  afl  oom 

tiff  panic on attempt to divide by zero  afl  arith 

tinyvec  arithmetic underflow  rutenspitz  arith 

tinyvec  resize() could set incorrect size for inline storage  rutenspitz  logic 

tinyvec  swap_remove() for last element worked incorrectly  rutenspitz  logic 

todotxt.rs  index out of bounds  libfuzzer  oor 

toml  #178  libfuzzer  logic 

toml  #179  libfuzzer  logic 

toml  #180  libfuzzer  logic 

toml  #181  libfuzzer  logic 

toml  #185  libfuzzer  logic 

toml  #186  libfuzzer  logic 

unicodesegmentation  grapheme boundary correctness  libfuzzer  logic 

unicodesegmentation  word boundary correctness  libfuzzer  logic 

uuid  index out of bounds  libfuzzer  oor 

v_escape  heap buffer overflow  libfuzzer  oor 
āļø 
vosub  arithmetic overflow  libfuzzer  arith 

vosub  invalid slice  libfuzzer  oor 

vosub  invalid slice  libfuzzer  oor 

vosub  invalid slice  libfuzzer  panic 

vosub  shift overflow  libfuzzer  arith 

wasmparser.rs  arithmetic overflow  libfuzzer  arith 

waylandrs  #187  libfuzzer  oor 

wsrs  arithmetic overflow  libfuzzer  arith 

xmlrs  #93  afl  utf8 

ziprs  arithmetic overflow  libfuzzer  arith 
arith
: Arithmetic error, eg. overflowslogic
: Logic bugloop
: Infinite loopoom
: Out of memoryoor
: Out of range accesssegfault
: Program segfaultedso
: Stack overflowuaf
: Use after freeuninit
: Program discloses contents of uninitialized memoryunwrap
: Call to unwrap
on None
or Err(_)
utf8
: Problem with UTF8 strings handling, eg. get a char not at a char boundarypanic
: A panic not covered by any of the aboveother
: Anything that does not fit in another category, or unclear what the problem is