CVE-2023-26266 In AFL++ 4.05c, the CmpLog component uses the current working directory to resolve and execute unprefixed fuzzing targets, allowing code execution.
Looks like the patch is in 4.06c and beyond.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=381bbaa4bcd407a37bfc03f2c0ef9303acc6e22b commit 381bbaa4bcd407a37bfc03f2c0ef9303acc6e22b Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-11 14:41:12 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-11 14:41:19 +0000 [ GLSA 202408-27 ] AFLplusplus: Arbitrary Code Execution Bug: https://bugs.gentoo.org/897924 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-27.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)