To address the security testing challenge posed by QUIC’s encrypted, asynchronous, and stateful interactions—which severely limit conventional fuzzing efficacy—this paper introduces QUIC-Fuzz, the first lightweight, state-aware grey-box fuzzer specifically designed for QUIC. Its core contributions are: (1) a QUIC-specific feedback mechanism integrating finite-state machine modeling with encryption-handshake context awareness; (2) state-driven mutation strategies and an efficient target initialization method; and (3) execution optimizations leveraging LLVM-based instrumentation and lightweight process reuse. Evaluated on six mainstream QUIC servers—including implementations by Google and Alibaba—QUIC-Fuzz discovered 10 previously unknown vulnerabilities (including two assigned CVEs), many of which are unreachable by existing tools. Moreover, it achieves up to 84% higher code coverage than state-of-the-art fuzzers.

Network applications are routinely under attack. We consider the problem of developing an effective and efficient fuzzer for the recently ratified QUIC network protocol to uncover security vulnerabilities. QUIC offers a unified transport layer for low latency, reliable transport streams that is inherently secure, ultimately representing a complex protocol design characterised by new features and capabilities for the Internet. Fuzzing a secure transport layer protocol is not trivial. The interactive, strict, rule-based, asynchronous nature of communications with a target, the stateful nature of interactions, security mechanisms to protect communications (such as integrity checks and encryption), and inherent overheads (such as target initialisation) challenge generic network protocol fuzzers. We discuss and address the challenges pertinent to fuzzing transport layer protocols (like QUIC), developing mechanisms that enable fast, effective fuzz testing of QUIC implementations to build a prototype grey-box mutation-based fuzzer; QUIC-Fuzz. We test 6, well-maintained server-side implementations, including from Google and Alibaba with QUIC-Fuzz. The results demonstrate the fuzzer is both highly effective and generalisable. Our testing uncovered 10 new security vulnerabilities, precipitating 2 CVE assignments thus far. In code coverage, QUIC-Fuzz outperforms other existing state-of-the-art network protocol fuzzers (Fuzztruction-Net, ChatAFL, and ALFNet) with up to an 84% increase in code coverage where QUIC-Fuzz outperformed statistically significantly across all targets and with a majority of bugs only discoverable by QUIC-Fuzz. We open-source QUIC-Fuzz on GitHub.