Saved in:
Bibliographic Details
Main Authors: Li, Xingyu, Pu, Juefei, Wu, Yifan, Zou, Xiaochen, Zhu, Shitong, Wu, Qiushi, Zhang, Zheng, Hsu, Joshua, Dong, Yue, Qian, Zhiyun, Lu, Kangjie, Jaeger, Trent, De Lucia, Michael, Krishnamurthy, Srikanth V.
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2509.22796
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866908562063622144
author Li, Xingyu
Pu, Juefei
Wu, Yifan
Zou, Xiaochen
Zhu, Shitong
Zou, Xiaochen
Zhu, Shitong
Wu, Qiushi
Zhang, Zheng
Hsu, Joshua
Dong, Yue
Qian, Zhiyun
Lu, Kangjie
Jaeger, Trent
De Lucia, Michael
Krishnamurthy, Srikanth V.
author_facet Li, Xingyu
Pu, Juefei
Wu, Yifan
Zou, Xiaochen
Zhu, Shitong
Zou, Xiaochen
Zhu, Shitong
Wu, Qiushi
Zhang, Zheng
Hsu, Joshua
Dong, Yue
Qian, Zhiyun
Lu, Kangjie
Jaeger, Trent
De Lucia, Michael
Krishnamurthy, Srikanth V.
contents Open-source software projects are foundational to modern software ecosystems, with the Linux kernel standing out as a critical exemplar due to its ubiquity and complexity. Although security patches are continuously integrated into the Linux mainline kernel, downstream maintainers often delay their adoption, creating windows of vulnerability. A key reason for this lag is the difficulty in identifying security-critical patches, particularly those addressing exploitable vulnerabilities such as out-of-bounds (OOB) accesses and use-after-free (UAF) bugs. This challenge is exacerbated by intentionally silent bug fixes, incomplete or missing CVE assignments, delays in CVE issuance, and recent changes to the CVE assignment criteria for the Linux kernel. While fine-grained patch classification approaches exist, they exhibit limitations in both coverage and accuracy. In this work, we identify previously unexplored opportunities to significantly improve fine-grained patch classification. Specifically, by leveraging cues from commit titles/messages and diffs alongside appropriate code context, we develop DUALLM, a dual-method pipeline that integrates two approaches based on a Large Language Model (LLM) and a fine-tuned small language model. DUALLM achieves 87.4% accuracy and an F1-score of 0.875, significantly outperforming prior solutions. Notably, DUALLM successfully identified 111 of 5,140 recent Linux kernel patches as addressing OOB or UAF vulnerabilities, with 90 true positives confirmed by manual verification (many do not have clear indications in patch descriptions). Moreover, we constructed proof-of-concepts for two identified bugs (one UAF and one OOB), including one developed to conduct a previously unknown control-flow hijack as further evidence of the correctness of the classification.
format Preprint
id arxiv_https___arxiv_org_abs_2509_22796
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle What Do They Fix? LLM-Aided Categorization of Security Patches for Critical Memory Bugs
Li, Xingyu
Pu, Juefei
Wu, Yifan
Zou, Xiaochen
Zhu, Shitong
Zou, Xiaochen
Zhu, Shitong
Wu, Qiushi
Zhang, Zheng
Hsu, Joshua
Dong, Yue
Qian, Zhiyun
Lu, Kangjie
Jaeger, Trent
De Lucia, Michael
Krishnamurthy, Srikanth V.
Cryptography and Security
Machine Learning
Open-source software projects are foundational to modern software ecosystems, with the Linux kernel standing out as a critical exemplar due to its ubiquity and complexity. Although security patches are continuously integrated into the Linux mainline kernel, downstream maintainers often delay their adoption, creating windows of vulnerability. A key reason for this lag is the difficulty in identifying security-critical patches, particularly those addressing exploitable vulnerabilities such as out-of-bounds (OOB) accesses and use-after-free (UAF) bugs. This challenge is exacerbated by intentionally silent bug fixes, incomplete or missing CVE assignments, delays in CVE issuance, and recent changes to the CVE assignment criteria for the Linux kernel. While fine-grained patch classification approaches exist, they exhibit limitations in both coverage and accuracy. In this work, we identify previously unexplored opportunities to significantly improve fine-grained patch classification. Specifically, by leveraging cues from commit titles/messages and diffs alongside appropriate code context, we develop DUALLM, a dual-method pipeline that integrates two approaches based on a Large Language Model (LLM) and a fine-tuned small language model. DUALLM achieves 87.4% accuracy and an F1-score of 0.875, significantly outperforming prior solutions. Notably, DUALLM successfully identified 111 of 5,140 recent Linux kernel patches as addressing OOB or UAF vulnerabilities, with 90 true positives confirmed by manual verification (many do not have clear indications in patch descriptions). Moreover, we constructed proof-of-concepts for two identified bugs (one UAF and one OOB), including one developed to conduct a previously unknown control-flow hijack as further evidence of the correctness of the classification.
title What Do They Fix? LLM-Aided Categorization of Security Patches for Critical Memory Bugs
topic Cryptography and Security
Machine Learning
url https://arxiv.org/abs/2509.22796