Google Deepmind has launched a new research project using artificial intelligence to detect, fix, and eventually prevent entire classes of software vulnerabilities. According to the company, CodeMender has already delivered dozens of patches to open-source projects.
Deepmind says it is developing an automated system that scans code for security flaws and can propose or apply fixes on its own. The project, called CodeMender, analyzes source code and independently suggests or implements security patches.
Researchers point to the growing challenge of finding and fixing vulnerabilities, which traditional approaches like fuzzing or static analysis can no longer fully address. Earlier efforts like Big Sleep and OSS-Fuzz showed that AI is capable of discovering new bugs in established programs. CodeMender aims to automate these processes while also verifying the quality of its repairs.
Combined analysis and validation systems
The agent is powered by the Gemini Deep Think language model and combines several techniques: static and dynamic code analysis, differential testing, fuzzing, and SMT solvers. All changes are automatically checked, including by an internal tool that compares the original and modified code and triggers corrections if needed.
Video: Google
According to Deepmind, this multi-stage review process ensures that only patches that are both functionally correct and traceable move forward. All suggestions are currently reviewed by human researchers before being merged into software projects.
Working with the open-source community
In a test project, Deepmind says CodeMender identified the root cause of a heap buffer overflow in XML code related to faulty stack management - a problem that could not have been found just from the crash report. In another case, the agent adjusted the lifecycle of C objects in a generative codebase to prevent memory errors.
The software can also proactively secure existing code. For this, Deepmind uses "-fbounds-safety" annotations to enable compiler checks against memory access errors. This method has already been applied to parts of the widely used libwebp library. A previous vulnerability in libwebp (CVE-2023-4863) was exploited in a zero-click iOS attack by NSO Group in 2023. Deepmind says the new compiler protections could mitigate or even prevent such vulnerabilities.
Since launch, CodeMender has contributed more than 70 security fixes to open-source projects, including some with millions of lines of code. All changes are manually reviewed before release. In the long run, Deepmind plans to make the agent available as a tool for developers and to publish further research on its results.
