diff --git a/Cargo.lock b/Cargo.lock
index bca2055..5763f64 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -74,6 +74,12 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
+[[package]]
+name = "arbitrary"
+version = "1.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7d5a26814d8dcb93b0e5a0ff3c6d80a8843bafb21b39e8e18a6f05471870e110"
+
 [[package]]
 name = "async-trait"
 version = "0.1.79"
@@ -144,6 +150,10 @@ name = "cc"
 version = "1.0.90"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8cd6604a82acf3039f1144f54b8eb34e91ffba622051189e71b781822d5ee1f5"
+dependencies = [
+ "jobserver",
+ "libc",
+]
 
 [[package]]
 name = "cfg-if"
@@ -476,6 +486,15 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "jobserver"
+version = "0.1.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ab46a6e9526ddef3ae7f787c06f0f2600639ba80ea3eade3d8e670a2230f51d6"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "lazy_static"
 version = "1.4.0"
@@ -491,6 +510,17 @@ version = "0.2.153"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd"
 
+[[package]]
+name = "libfuzzer-sys"
+version = "0.4.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a96cfd5557eb82f2b83fed4955246c988d331975a002961b07c81584d107e7f7"
+dependencies = [
+ "arbitrary",
+ "cc",
+ "once_cell",
+]
+
 [[package]]
 name = "libm"
 version = "0.2.8"
@@ -979,6 +1009,15 @@ dependencies = [
  "tokio-util",
 ]
 
+[[package]]
+name = "ssh-agent-lib-fuzz"
+version = "0.0.0"
+dependencies = [
+ "libfuzzer-sys",
+ "ssh-agent-lib",
+ "ssh-encoding",
+]
+
 [[package]]
 name = "ssh-cipher"
 version = "0.2.0"
diff --git a/Cargo.toml b/Cargo.toml
index ee28cca..cc66c22 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -15,6 +15,9 @@ keywords = ["ssh", "agent", "authentication", "openssh", "async"]
 categories = ["authentication", "cryptography", "encoding", "network-programming", "parsing"]
 exclude = [".github"]
 
+[workspace]
+members = [".", "fuzz"]
+
 [dependencies]
 byteorder = "1.4.3"
 async-trait = { version = "0.1.77", optional = true }
diff --git a/fuzz/.gitignore b/fuzz/.gitignore
new file mode 100644
index 0000000..1a45eee
--- /dev/null
+++ b/fuzz/.gitignore
@@ -0,0 +1,4 @@
+target
+corpus
+artifacts
+coverage
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
new file mode 100644
index 0000000..26357a1
--- /dev/null
+++ b/fuzz/Cargo.toml
@@ -0,0 +1,22 @@
+[package]
+name = "ssh-agent-lib-fuzz"
+version = "0.0.0"
+publish = false
+edition = "2021"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+ssh-encoding = "0.2.0"
+
+[dependencies.ssh-agent-lib]
+path = ".."
+
+[[bin]]
+name = "message_decode"
+path = "fuzz_targets/message_decode.rs"
+test = false
+doc = false
+bench = false
diff --git a/fuzz/README.md b/fuzz/README.md
new file mode 100644
index 0000000..32d5590
--- /dev/null
+++ b/fuzz/README.md
@@ -0,0 +1,28 @@
+# Fuzzing
+
+This directory contains fuzzing targets for ssh-agent-lib.
+
+## Setup
+
+Install [`cargo-fuzz`](https://crates.io/crates/cargo-fuzz):
+
+```sh
+cargo install --locked cargo-fuzz
+```
+
+## Running
+
+Select a target from the list printed by `cargo fuzz list` e.g. `message_decode`:
+
+```sh
+cargo +nightly fuzz run message_decode
+```
+
+Options that can be added to the `fuzz run` command:
+
+- `--jobs N` - increase parallelism,
+- `--sanitizer none` - disable sanitizer since ssh-agent-lib does not use any `unsafe` blocks,
+
+Note that due to a limitation of cargo-fuzz nightly version of the toolchain is required.
+
+For more details see [Fuzzing with cargo-fuzz](https://rust-fuzz.github.io/book/cargo-fuzz.html) or the [more detailed explanation of fuzzing output](https://github.com/rust-fuzz/cargo-fuzz/issues/72#issuecomment-284448618) in a `cargo-fuzz` comment.
diff --git a/fuzz/fuzz_targets/message_decode.rs b/fuzz/fuzz_targets/message_decode.rs
new file mode 100644
index 0000000..a41109b
--- /dev/null
+++ b/fuzz/fuzz_targets/message_decode.rs
@@ -0,0 +1,9 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use ssh_agent_lib::proto::message::Message;
+use ssh_encoding::Decode;
+
+fuzz_target!(|data: &[u8]| {
+    let _ = Message::decode(&mut &data[..]);
+});