AgentFlow Automatic Synthesis Vulnerability in Multi-Agent Systems Unearths Chrome Sandbox Escape Zero-Day
According to Dynamic Beating monitoring, the UCSB Yutong Feng team, in collaboration with fuzz.land and other organizations, proposed AgentFlow, an automatic synthesis of multi-agent harnesses (programs orchestrating agent roles, information exchange, tool allocation, and retry logic) for vulnerability discovery. The paper points out that by only modifying the harness when the model remains unchanged, the success rate can be multiplied several times. However, existing solutions are mostly manually written or only search in a local design space.
AgentFlow uses a typed graph DSL to unify five dimensions of the harness (roles, topology, message patterns, tool bindings, and coordination protocols) into an editable graph program, where changes can be made step by step to agents, topology, prompts, and toolsets simultaneously. The outer loop locates the failure points based on runtime signals such as coverage of the target program and sanitizer reports, replacing binary feedback of pass/fail. On TerminalBench-2, coupled with Claude Opus 4.6, it achieved 84.3% (75/89), the highest score in the benchmark's category.
In the Chrome codebase (35 million lines of C/C++), the system synthesized a harness containing 18 roles, approximately 210 agents, including 7 subsystem analyzers, 192 parallel explorers, and a four-stage crash triage pipeline. This process involved dedicated agents like Crash Filter and Root Cause Analyzer deduplicating based on unique ASAN crash signatures. Running on 192 H100 GPUs for 7 days using the open-source model Kimi K2.5, it discovered 10 zero-day vulnerabilities all confirmed through the Chrome VRP. Six of them have received CVE identifiers, involving categories such as WebCodecs, Proxy, Network, Codecs, and Rendering, with types like UAF, integer overflow, and heap buffer overflow. Among them, CVE-2026-5280 and CVE-2026-6297 are Critical-level sandbox escapes.
Shou Chaofan, co-founder of fuzz.land, stated that some vulnerabilities were initially discovered using MiniMax M2.5, with most of them also being discoverable by MiniMax M2.5 and Opus 4.6. AgentFlow has been open-sourced.
