Existing fuzzing tools struggle to effectively uncover deep vulnerabilities in RPKI software caused by multi-object dependencies and cryptographic linkages. This work proposes a novel coverage-guided fuzzing approach that integrates a non-sequential mutation strategy, a template-agnostic ASN.1 mutation engine, labeled tree parsing, and function-level side-channel feedback to maintain structure-aware cryptographic validity and enable precise coverage tracking across multi-object repositories. The resulting tool, CAT, achieves the first efficient fuzzing of RPKI systems, delivering a 66× throughput improvement and 24%–47% higher code path coverage compared to state-of-the-art alternatives. CAT has uncovered 21 previously unknown vulnerabilities, eight of which have been assigned high-severity CVE identifiers (CVSS scores ranging from 7.5 to 9.8).

The Resource Public Key Infrastructure (RPKI) has become essential to secure inter-domain routing. Despite its critical role, RPKI software remains largely untested beyond shallow parsing. Existing fuzzers, like AFL++ or libFuzzer, do not work well for RPKI as they assume a single, self-contained input per execution, while RPKI repositories contain hundreds of interdependent cryptographically linked objects. Existing fuzzers fail to handle this complexity and lack the ability for precise coverage attribution in multi-object repositories, breaking feedback-based exploration and thereby missing most severe vulnerabilities in RPKI validation. In this paper, we overcome these limitations through novel fuzzing techniques, including continuous sampling and using functions as side-channels for per-object coverage attribution in large input repositories. We further show how parsing inputs to a labeled tree allows structural and semantic mutations while preserving cryptographic validity in mutated repositories. We implement our new techniques into a powerful fuzzing tool called CAT, combining non-sequential fuzzing with our template-agnostic ASN.1 mutation engine to achieve 66x throughput improvement over sequential fuzzing and exploring 24 - 47% more unique code paths compared to libFuzzer and previous work. Evaluating CAT on RPKI validators uncovered 21 previously unknown vulnerabilities with 8 CVEs already assigned (CVSS 7.5 - 9.8). These include a buffer overflow, Denial-of-Service (DoS), and exploitable repository-poisoning logic flaws. We open-source CAT to enable reproducibility, further research, and adaptation of our methods to other complex cryptography-based protocols such as DNSSEC and TLS.