Trail of BitsFriday · July 3, 2026FREE

GPT-5.5-Cyber built a zlib fuzzing lab in a day

gpt-5.5-cyberfuzzingai-securityopen-source

Trail of Bits, in collaboration with OpenAI, is running Patch the Planet, pairing engineers with over 30 open-source projects to address the anticipated flood of bug reports from advanced AI models. In a field report, they describe how GPT-5.5-Cyber built a zlib fuzzing lab in a single day—a task that would have taken weeks for a skilled security researcher. The model autonomously decided that static review was ineffective and instead built dynamic fuzzing tooling. It used ASan and UBSan builds, repurposed edge-case tests as seed guidance, and wrote C/C++ harnesses across a dozen entrypoints including inflate, inflateBack, uncompress2, gzFile, MiniZip, puff, blast, infback9, gzjoin, gzappend, and several contrib stream wrappers. It also used compile-time variant builds (INFLATE_STRICT, BUILDFIXED, PKZIP_BUG_WORKAROUND) to reach hidden code paths. The model demonstrated reporting discipline by logging a null callback crash in inflateBack as unreachable (since it required unlikely caller state) and moving on to find higher-impact issues. Trail of Bits attributes this capability to the frontier 5.5-Cyber model combined with the /goal feature, which maintained scope across multiple turns. The findings are currently undergoing coordinated disclosure, and the full harness will be published once vulnerabilities are patched.

// why it matters

The expertise barrier for bespoke fuzzing campaigns is gone, threatening to overwhelm open-source maintainers with bug reports.

Sources

Primary · Trail of Bits
▸ Read original at blog.trailofbits.com

Like this? Get the next digest.