CVE-2023-26266

Vulnerability

In AFL++ version 4.05c, the CmpLog component incorrectly resolves unprefixed fuzzing targets (e.g., targetapp instead of /path/to/targetapp) by searching the current working directory (PWD) rather than the system PATH. This affects standard instrumented mode and Frida mode, but not QEMU mode [1]. The bug violates the expected behavior that unprefixed executables should be resolved via PATH.

Exploitation

An attacker who can place a malicious executable with the same name as the intended target in the user's current working directory can cause AFL++ to execute that malicious binary instead of the legitimate one. The attacker does not need authentication or special privileges beyond the ability to write a file to the directory where the user runs AFL++. The user must invoke afl-fuzz with an unprefixed target path (e.g., -- targetapp).

Impact

Successful exploitation allows arbitrary code execution in the context of the user running AFL++. The attacker gains the ability to execute arbitrary commands, potentially leading to full compromise of the user's system or data exfiltration.

Mitigation

The vulnerability is fixed in the pull request [1] by modifying the CmpLog component to search for unprefixed targets in PATH instead of PWD. Users should update to a patched version of AFL++ (after the fix is merged). As a workaround, always provide full paths to fuzzing targets (e.g., /usr/bin/targetapp) to avoid reliance on PATH resolution. No CVE-specific KEV listing is known.