Papers
Topics
Authors
Recent
Search
2000 character limit reached

Patch2Vuln: Agentic Reconstruction of Vulnerabilities from Linux Distribution Binary Patches

Published 7 May 2026 in cs.CR and cs.AI | (2605.06601v1)

Abstract: Security updates create a short but important window in which defenders and attackers can compare vulnerable and patched software. Yet in many operational settings, the most accessible artifacts are binary packages rather than source patches or advisory text. This paper asks whether a language-model agent, restricted to local binary-derived evidence, can reconstruct the security meaning of Linux distribution updates. Patch2Vuln is a local, resumable pipeline that extracts old/new ELF pairs, diffs them with Ghidra and Ghidriff, ranks changed functions, builds candidate dossiers, and asks an offline agent to produce a preliminary audit, bounded validation plan, and final audit. We evaluate Patch2Vuln on 25 Ubuntu .deb package pairs: 20 security-update pairs and five negative controls, all manually adjudicated against private source-patch and binary-function ground truth. The agent localizes a verified security-relevant patch function in 10 of 20 security pairs and assigns an accepted final root-cause class in 11 of 20. Oracle diagnostics show that six security pairs fail before model reasoning because the binary differ or ranker omits the right function, with one additional context-export miss. A separate bounded validation pass produces two target-level minimized behavioral old/new differentials, both for tcpdump, but no crash, timeout, sanitizer finding, or memory-corruption proof; all five negative controls are classified as unknown and produce no validation differentials. These results support agentic vulnerability reconstruction from binary patches as a useful research target while showing that binary-diff coverage and local behavioral validation remain the limiting components.

Authors (2)

Summary

  • The paper demonstrates that LLM agents can accurately localize and reconstruct vulnerability semantics solely from patched ELF binaries in Linux updates.
  • It introduces a four-stage pipeline involving artifact extraction, binary differencing, dossier packaging, and agent audit to detect security updates.
  • Experimental results on Ubuntu packages highlight effective function-level vulnerability localization while underscoring limits due to evidence coverage gaps.

Agentic Vulnerability Reconstruction from Linux Binary Patches: An Analysis of Patch2Vuln

Problem Context and Motivation

"Patch2Vuln: Agentic Reconstruction of Vulnerabilities from Linux Distribution Binary Patches" (2605.06601) systematically explores whether LLM-based agents, when restricted to binary-derived artifacts without source code or advisory access, can reconstruct the security semantics of Linux distribution updates. The central research question addresses the interpretive step: given only patched and vulnerable ELF binaries, can an automated agent localize the security-relevant change, infer root-cause classes, and propose validation strategies, independent of textual or web-based threat intelligence? This departs from prior work focused either on exploit generation from source diffs or patch-based binary matching for one-day vulnerability scanning, examining instead the potential for structured vulnerability reconstruction directly from local binary patch evidence.

System Architecture and Methodology

Patch2Vuln is a local, deterministic pipeline, orchestrated via Docker, which operationalizes four principal stages on binary package pairs:

  1. Artifact Extraction and Preprocessing: Extraction of patched and vulnerable ELF files from .deb packages along with collecting ELF metadata, symbols, and strings.
  2. Binary Differencing and Decompilation: Utilizing Ghidra and Ghidriff, the system generates detailed diffs and function-level decompiler excerpts. A deterministic ranker, not an ML model, prioritizes candidate functions by incorporating binary diff signals, including explicit memory-safety deltas, use of new parser/length guards, or error string modifications.
  3. Candidate Dossier Construction and Packing: Each top-ranked function is accompanied by a structured dossier, encompassing diff features, decompiled context, nearby strings/imports, and local call context. Prompt packing is allocation-aware: dossier packing preserves evidence integrity, preventing loss mid-record.
  4. Agent Audit and Validation: The LLM agent executes a three-stage loop for each target:
    • Preliminary Audit: Function triage, root-cause inference, and input-medium hypothesis based strictly on static binary evidence.
    • Validation Plan Generation: Planning safe local differential probes using harnesses such as tcpdump, expat, or libarchive, but avoiding any weaponized exploit payloads.
    • Final Audit: Integrating observed behavioral differentials to potentially revise conclusions, adhering to explicit constraints against hallucinating remote exploits or leveraging external knowledge.

All outputs are subject to sealed, manual function-level oracle adjudication that distinguishes between differ/ranker omissions, model reasoning failures, and successful agent localization.

Experimental Results

Patch2Vuln was validated on a benchmark of 25 Ubuntu package pairs, including 20 security-update events and five negative controls. Each case was manually adjudicated using private function-level ground truth derived from source patches, CVE advisories, and decompiler mapping. The evaluation delineates task performance into three layers: binary patch presence (BinXray-style), function localization/top-kk ranking, and full semantic vulnerability reconstruction.

Aggregate Performance

  • Security-update pairs localized by agent: 10/20
  • Cases with accepted root-cause class: 11/20
  • Negative controls classified as unknown: 5/5
  • Agent produced two minimized behavioral differentials (tcpdump), but no memory corruption proofs, crashes, or timeouts
  • Principal bottleneck: Six cases failed due to binary diff/ranker not surfacing the relevant function; model reasoning and validation accounted for three misses, and one further case was blocked by context export failure.

The Patch2Vuln ranker consistently improved top-1 and top-5 ground-truth localization relative to raw Ghidriff, but both capped at the top-25 threshold, reflecting intrinsic limits of static binary differencing given compiler, layout, and aggregation noise.

Representative Case Studies

  • Tcpdump filter-file vulnerability (CVE-2018-16301): The agent, despite the candidate function ranked outside the very top, successfully isolated the relevant input path and produced strong behavioral evidence (distinct diagnostic rejection of malformed -F filter files), without claiming memory corruption in the absence of an exploit.
  • Expat integer overflow: Exhibited precise static explanation and root-cause identification but no validation-trigger due to bounded test complexity, maintaining appropriate uncertainty.
  • libarchive patch cluster: The agent correctly mapped several format parser functions to the update, but without behavioral triggers, conservatively reported unknown for root cause, balancing static evidence with absence of runtime confirmation.
  • Negative controls: All five controls, including byte-identical and maintenance updates, were robustly rejected, indicating the agent's resistance to narrative overreach from diff presence alone.

Theoretical and Practical Implications

The findings clarify that LLM agents, deprived of global textual context and operating only over binary-diff artifact sets, can often reconstruct meaningful vulnerability explanations, accurately localize changes, and avoid overclaiming in control scenarios. However, Patch2Vuln's efficacy is strictly upper-bounded by the information surfaced by the binary differ and context exporter: omitted functions or code context result in categorical failure irrespective of agent quality. Thus, the limiting factors are evidence coverage and candidate reachability, not model inferential power.

From a defensive operations perspective, Patch2Vuln demonstrates feasibility for rapid, local auditing of distribution binary updates, even with absent or delayed advisories. It is not an exploit-generation pipeline but an interpretive/diagnostic layer to support vulnerability management workflows. For vulnerability research, the methodology supports constructing function-level vulnerability hypotheses and input-medium mappings without requiring access to source artifacts or patches.

Limitations and Prospects for Future Research

Current empirical limitations stem from several axes:

  • The benchmark is Ubuntu-centric and does not guarantee generalization to RPM or vendor-proprietary binary distributions.
  • Evaluation assumes realistic conditions with preserved binary metadata, which may overestimate agent effectiveness in stripped or symbol-suppressed environments.
  • Patch clusters complicate per-CVE attribution, as many distribution updates conflate multiple upstream changes.
  • Bounded validation, as implemented, does not encompass exploitability or deep reachability: static evidence may not map to practical triggers with available harnesses and input-space constraints.

Key future directions to augment the utility of agentic approaches include:

  • Expanding evidence coverage through improved diff/rank/context strategies, including dynamic binary instrumentation, reachability analysis, and tracer integration.
  • Refined packing and context summarization to avoid prompt truncation while maximizing function evidence.
  • Cross-distribution, adversarial, and symbol-blind experimental variants to probe agent robustness in more challenging operational conditions.
  • Integrating lightweight input generation or guided fuzzing for deeper behavioral differential validation, especially on high-threshold patches.

Conclusion

Patch2Vuln substantiates agentic vulnerability reconstruction from Linux binary patches as a viable and interpretable task under realistic evidence constraints. The system can localize and characterize security-relevant changes in a significant proportion of security updates, while robustly rejecting controls, provided that binary differencing and context construction expose sufficient ground-truth evidence. The dominant failure modality lies in surfacing coverage, underscoring that future research must focus on bridging binary evidence gaps and coupling static and dynamic validation to close the interpretive loop.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 3 tweets with 13 likes about this paper.