Pith Number

pith:BDZHSYIJ

pith:2026:BDZHSYIJH2EZI5FPSHPZM4CAPD

not attested not anchored not stored refs resolved

OverrideFuzz: Semantic-Aware Grammar Fuzzing for Script-Runtime Vulnerabilities

Yiran Qiu

OverrideFuzz uses two-phase semantic-aware grammar fuzzing to reach script runtime boundary behaviors that trigger known vulnerability patterns.

arxiv:2605.12563 v1 · 2026-05-12 · cs.CR · cs.PL

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?

Add to your LaTeX paper

\usepackage{pith}
\pithnumber{BDZHSYIJH2EZI5FPSHPZM4CAPD}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp

2 Internet Archive

3 Author claim open · sign in to claim

4 Citations open

5 Replications open

✓ Portable graph bundle live · download bundle · merged state

The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

corpus analysis shows that it reconstructs inputs matching known vulnerability patterns, which suggests that semantic-aware generation reaches the intended script-native boundary behaviors.

C2weakest assumption

The assumption that passive reflection from error messages removes only invalid shapes while preserving all operation shapes capable of triggering boundary bugs, and that the bounded evaluation window is long enough to demonstrate vulnerability-finding power.

C3one line summary

OverrideFuzz uses semantic-aware grammar fuzzing with reflection to model override hooks and dynamic rebinding, producing coverage growth and inputs that match known vulnerability patterns on CPython, Lua, and QuickJS without discovering new bugs in the evaluation window.

References

23 extracted · 23 resolved · 0 Pith anchors

[1] Integrating formal methods and automated tools for DO-178C compliance in UA V software, 2026 · doi:10.1016/j.infsof.2026.108068

[2] Clang Static Analyzer 2026

[3] SOK: (state of) the art of war: Offensive techniques in binary analysis 2016 · doi:10.1109/sp.2016.17

[4] FUZZILLI: Fuzzing for JavaScript JIT Compiler Vulnerabilities, 2023 · doi:10.14722/ndss.2023.24290

[5] NAUTILUS: Fishing for Deep Bugs with Grammars, 2019 · doi:10.14722/ndss.2019.23412

Receipt and verification

First computed	2026-05-18T03:10:01.928033Z
Builder	pith-number-builder-2026-05-17-v1
Signature	Pith Ed25519 (`pith-v1-2026-05`) · public key
Schema	pith-number/v1.0

Canonical hash

08f27961093e899474af91df96704078ccc5a8a3cc96dbeebddc45613500827a

Aliases

arxiv: 2605.12563 · arxiv_version: 2605.12563v1 · doi: 10.48550/arxiv.2605.12563 · pith_short_12: BDZHSYIJH2EZ · pith_short_16: BDZHSYIJH2EZI5FP · pith_short_8: BDZHSYIJ

Agent API

Resolver JSON Graph JSON Events JSON Schema Signing key

Verify this Pith Number yourself

curl -sH 'Accept: application/ld+json' https://pith.science/pith/BDZHSYIJH2EZI5FPSHPZM4CAPD \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: 08f27961093e899474af91df96704078ccc5a8a3cc96dbeebddc45613500827a

Canonical record JSON

{
  "metadata": {
    "abstract_canon_sha256": "a6719b9eaac0d3b7554575ba7c2cd8f5b849cee375f3f73b69807f1708fccb68",
    "cross_cats_sorted": [
      "cs.PL"
    ],
    "license": "http://creativecommons.org/licenses/by-sa/4.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-05-12T03:57:35Z",
    "title_canon_sha256": "58611490f6525e788491ce2f11a07d948e2bd9e823bfe2f3b5f948429fd394ac"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.12563",
    "kind": "arxiv",
    "version": 1
  }
}