Fuzzing PostgreSQL | POSETTE: An Event for Postgres 2026

Adam Wolk explains how fuzzing can uncover edge-case bugs in PostgreSQL, focusing on the libpq client library and the networking protocol surface. He covers why fuzzing works, what makes a good target in Postgres, and practical steps for building harnesses and mutating protocol inputs.

Overview

This talk is a practical guide to applying fuzzing to PostgreSQL-related projects, with an emphasis on security-relevant bug discovery in large, stateful systems.

Key themes covered:

• What fuzzing is and why it finds bugs that other testing techniques often miss
• The difference between purely random fuzzing and coverage-guided fuzzing
• How fuzzers can effectively explore complex input spaces (including structured formats)
• Why PostgreSQL is a good fuzzing target, and how to think about its attack surface
• Why the client library libpq is a high-value fuzzing target (it processes network connections before the server sees a query)
• How to get started:
  • Building minimal fuzzing harnesses
  • Generating and mutating protocol inputs
  • Reasoning about what makes fuzzing effective on complex C codebases

Video chapters

• 0:00 Music & introduction
• 0:47 Speaker intro: security and systems background
• 1:39 What is fuzzing? From random to coverage feedback
• 5:00 Toy C program: 6 branches to a hidden crash
• 8:28 Fuzzers in action: AFL and Honggfuzz
• 10:36 Pulling JPEGs out of thin air: fuzzers as learners
• 11:56 Testing is polite, fuzzing is rude
• 13:37 Why fuzz PostgreSQL? An attack-surface map
• 16:33 Networking protocol and libpq as the high-value target
• 17:00 Prior talks and the challenges of fuzzing Postgres
• 20:21 A simpler harness approach and live demo
• 22:20 Lessons learned and what's next

Links

• POSETTE conference: https://posetteconf.com
• More POSETTE talks playlist: https://aka.ms/posette-playlist