Hindsight is 20/20, but with a hook on javax.naming.Context#lookup and a generally useful improvement to the Map instrumentation, Jazzer reliably finds #log4j CVE-2021-44228 in ~5 min with a one-line fuzz target: log.error(data.consumeRemainingAsString());

https://github.com/CodeIntelligenceTesting/jazzer/pull/257