PatchFuzz: Patch fuzzing for JavaScript engines

Author

Junjie WANG
Zhihua XIE
Xiaofei XIE, Singapore Management UniversityFollow
Xiaoning DU
Xiangwei ZHANG

Publication Type

Journal Article

Version

publishedVersion

Publication Date

6-2026

Abstract

Context: Patch fuzzing is a technique aimed at identifying vulnerabilities that arise from newly patched code. While researchers have made efforts to apply patch fuzzing to testing JavaScript (JS) engines with considerable success, these efforts have been limited to using ordinary test cases or publicly available vulnerability PoCs (Proof of Concepts) as seeds, and the sustainability of these approaches is hindered by the challenges associated with automating the PoC collection. Objective: To address these limitations, we propose an end-to-end sustainable approach for JS engine patch fuzzing, named PatchFuzz. Method: It automates the collection of PoCs of a broader range of historical vulnerabilities and leverages both the PoCs and their corresponding patches to uncover new vulnerabilities more effectively. PatchFuzz starts by recognizing git commits which intend to fix security bugs. Subsequently, it extracts and processes PoCs from these commits to form the seeds for fuzzing, while utilizing code revisions to focus limited fuzzing resources on the more vulnerable code areas through selective instrumentation. The mutation strategy of PatchFuzz is also optimized to maximize the potential of the PoCs. Results: Experimental results demonstrate the effectiveness of PatchFuzz. Notably, 54 bugs across six popular JS engines have been exposed and a total of $62,500 bounties has been received. Conclusion: PatchFuzz effectively enables sustainable and automated patch fuzzing for JavaScript engines by leveraging historical PoCs and selective instrumentation to focus on vulnerable code regions.

Keywords

Fuzzing, JavaScript engine, Patch

Discipline

Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

Information and Software Technology

Volume

194

First Page

1

Last Page

12

ISSN

0950-5849

Identifier

10.1016/j.infsof.2026.108087

Publisher

Elsevier

Citation

WANG, Junjie; XIE, Zhihua; XIE, Xiaofei; DU, Xiaoning; and ZHANG, Xiangwei. PatchFuzz: Patch fuzzing for JavaScript engines. (2026). Information and Software Technology. 194, 1-12.
Available at: https://ink.library.smu.edu.sg/sis_research/11017

Copyright Owner and License

Author-CC-BY

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1016/j.infsof.2026.108087