Traditional 5G security testing predominantly relies on black-box fuzzing, which struggles to access internal program states and coverage feedback, thereby limiting the discovery of deep-seated vulnerabilities. This work proposes a multi-component coverage-guided gray-box fuzzing approach tailored for 5G protocols, introducing an innovative mechanism for coordinated coverage collection across protocol components and a test case scoring strategy that jointly optimizes efficiency and coverage. By integrating dynamic instrumentation with adaptive scheduling, the method overcomes the constraints of relying solely on system-level responses. Experimental evaluation on OpenAirInterface demonstrates that, within 24 hours, the approach improves branch and line coverage by 5.85% and 7.17%, respectively, increases unique crash detection by 16%, and successfully uncovers three zero-day vulnerabilities, two of which are reported for the first time.

As mobile networks transition to 5G infrastructure, ensuring robust security becomes more important due to the complex architecture and expanded attack surface. Traditional security testing approaches for 5G networks rely on black-box fuzzing techniques, which are limited by their inability to observe internal program state and coverage information. This paper presents MulCovFuzz, a novel coverage-guided greybox fuzzing tool for 5G network testing. Unlike existing tools that depend solely on system response, MulCovFuzz implements a multi-component coverage collection mechanism that dynamically monitors code coverage across different components of the 5G system architecture. Our approach introduces a novel testing paradigm that includes a scoring function combining coverage rewards with efficiency metrics to guide test case generation. We evaluate MulCovFuzz on open-source 5G implementation OpenAirInterface. Our experimental results demonstrate that MulCovFuzz significantly outperforms traditional fuzzing approaches, achieving a 5.85\% increase in branch coverage, 7.17\% increase in line coverage, and 16\% improvement in unique crash discovery during 24h fuzzing testing. MulCovFuzz uncovered three zero-day vulnerabilities, two of which were not identified by any other fuzzing technique. This work contributes to the advancement of security testing tools for next-generation mobile networks.