CPU fuzzing breaks when bugs hide behind complex microarchitectural state: sequences that exercise a specific pipeline interaction, memory ordering edge case, or CSR combination that random mutation almost never generates by chance. HiFuzz replaces mutation with a two-level RL framework. A Program Agent plans the global instruction layout; a Basic Block Agent fills precise instruction sequences. Evaluated on three real RISC-V cores, HiFuzz significantly outperforms prior state-of-the-art fuzzers on both coverage and bug detection. Acceptance at ITC 2026 signals peer review from a hardware test audience, not just an ML one.
The fix for reward sparsity (the reason RL struggles on fuzzing tasks) is an adaptive coverage reward combined with a semantic-aware basic block encoder providing intrinsic feedback when explicit coverage signals are absent. This lets the agents navigate toward under-explored microarchitectural states without requiring every intermediate step to produce a visible coverage gain.
For teams building security-sensitive RISC-V cores today (automotive, hypervisor-capable, microcontrollers with crypto extensions), the pre-silicon verification bar just moved. If RL agents can systematically reach deep architectural states that mutation fuzzers miss, the CPU attack surface previously considered hard to reach without directed effort is no longer hard to reach. The loser is fixed mutation-based CPU fuzzing: it is not wrong, it is structurally less capable against the class of bugs that require specific instruction context to surface. Teams shipping RISC-V silicon in 2026 should run HiFuzz against their core before tapeout; the setup cost is a week, and the bugs it finds are the ones that land on CVE lists after deployment.