Code Intelligence is happy to announce the discovery of a heap-based use-after-free vulnerability in wolfSSL, identified through a fuzz test automatically generated by an AI Test Agent. This marks another milestone in advancing automated security testing and demonstrates the power of AI-driven tools to improve software reliability and safety.
Discovery and Resolution
The vulnerability was identified during the final week of October 2024.
Remarkably, the discovery required no manual intervention—beyond setting up the project and typing “cifuzz spark” into the command line. This fuzz test, automatically generated and executed by Spark, the AI Test Agent, uncovered the critical data that exposed the flaw.
Spark, the AI Test Agent, is an enhancement to ?ode Intelligence’s fuzz testing product CI Fuzz. Leveraging LLMs and advanced static analysis, it autonomously identifies the most critical functions in the codebase to fuzz, generates and runs fuzz tests, and thus, finds bugs and vulnerabilities.
Spark will be publicly demonstrated to the security and software development community on January 28, 2025. Secure your free spot here.
Spark uncovered the vulnerability in wolfSSL during its final beta testing. Code Intelligence reported the issue to the wolfSSL team immediately, and they responded with exceptional efficiency, resolving the vulnerability within 3 days.
The fix was officially included in release wolfSSL 5.7.6 on 31 December 2024.
In the only manual step, Peter Samarin from Code Intelligence has assessed and confirmed that the vulnerability exists and is exploitable under specific conditions.
We encourage developers to update to the latest version of wolfSSL to mitigate any potential risks.
What Is a Heap-Based Use-After-Free?
A heap-based use-after-free vulnerability occurs when a program continues to access memory on the heap after it has been freed.
In a typical scenario, a program allocates memory, uses it, and then frees it. However, if there is a mistake in memory management, such as a dangling pointer, a subsequent access attempt may interact with memory that has already been reallocated for another use.
This can lead to unexpected behavior, crashes, or—more worryingly—security exploits that allow attackers to execute arbitrary code or manipulate program behavior maliciously.
We are grateful to the Code Intelligence team for uncovering and reporting the vulnerability to us. You can explore the technical details of the issue in Code Intelligence’s blog post.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now