Alphabet Inc.’s Google DeepMind lab today shared results for CodeMender, an artificial intelligence-powered agent that automatically detects, patches and rewrites vulnerable code to prevent future exploits.
CodeMember builds on DeepMind’s previous AI-based vulnerability discovery projects such as Big Sleep and OSS-Fuzz, by combining the reasoning power of Gemini Deep Think models with advanced program analysis techniques. The aim is to debug and repair complex security flaws autonomously across massive codebases.
While still only in a research phase, CodeMender has already submitted 72 security fixes to open-source projects, including those spanning more than 4.5 million lines of code. According to DeepMind, CodeMender’s AI-powered agent helps developers and maintainers focus on what they do best — building good software — by automatically creating and applying high-quality security patches.
CodeMender is designed to be both reactive and proactive by instantly patching discovered vulnerabilities and also rewriting existing code to eliminate entire classes of flaws.
In one example, the agent applied “-fbounds-safety” annotations to the libwebp image compression library, the same library exploited in a 2023 zero-click iOS attack. In doing so, it rendered similar buffer overflow vulnerabilities “unexploitable forever,” according to DeepMind researchers.
Under the hood, CodeMender uses a suite of tools including static and dynamic analysis, fuzzing, symbolic reasoning and an “LLM judge” that validates whether proposed changes preserve functionality. The system can self-correct automatically before surfacing its final patch for human review when the validation detects an issue and all changes are verified for correctness, adherence to style guidelines and lack of regressions before submission.
DeepMind notes that CodeMender remains a research effort and that “all patches generated by CodeMender are reviewed by human researchers before they’re submitted upstream.”
The DeepMind team plans to expand outreach to open-source maintainers and “hopes to release CodeMender as a tool that can be used by all software developers to keep their codebases secure,” with technical papers detailing the agent’s architecture and validation pipeline to follow.
If and when it’s released, CodeMember stands in contrast to traditional methods like static analysis and fuzzing that can surface vulnerabilities but still rely heavily on human expertise to validate and repair them. CodeMender’s approach points toward a future where AI systems can handle discovery and remediation, which is arguably a critical step as modern codebases grow exponentially in size and complexity.
Image: News/Ideogram
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About News Media
Founded by tech visionaries John Furrier and Dave Vellante, News Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
