Paper Detail

Patch2Vuln: Agentic Reconstruction of Vulnerabilities from Linux Distribution Binary Patches

Isaac David, Arthur Gervais

Browse

Workflow Queues

arxiv Score 15.8

Published 2026-05-07 · First seen 2026-05-09

General AI

Open paper source

Abstract

Security updates create a short but important window in which defenders and attackers can compare vulnerable and patched software. Yet in many operational settings, the most accessible artifacts are binary packages rather than source patches or advisory text. This paper asks whether a language-model agent, restricted to local binary-derived evidence, can reconstruct the security meaning of Linux distribution updates. Patch2Vuln is a local, resumable pipeline that extracts old/new ELF pairs, diffs them with Ghidra and Ghidriff, ranks changed functions, builds candidate dossiers, and asks an offline agent to produce a preliminary audit, bounded validation plan, and final audit. We evaluate Patch2Vuln on 25 Ubuntu `.deb` package pairs: 20 security-update pairs and five negative controls, all manually adjudicated against private source-patch and binary-function ground truth. The agent localizes a verified security-relevant patch function in 10 of 20 security pairs and assigns an accepted final root-cause class in 11 of 20. Oracle diagnostics show that six security pairs fail before model reasoning because the binary differ or ranker omits the right function, with one additional context-export miss. A separate bounded validation pass produces two target-level minimized behavioral old/new differentials, both for tcpdump, but no crash, timeout, sanitizer finding, or memory-corruption proof; all five negative controls are classified as unknown and produce no validation differentials. These results support agentic vulnerability reconstruction from binary patches as a useful research target while showing that binary-diff coverage and local behavioral validation remain the limiting components.

Workflow Status

Review status
pending
Role
unreviewed
Read priority
now
Vote
Not set.
Saved
no
Collections
Not filed yet.
Next action
Not filled yet.

Reading Brief

No structured notes yet. Add `summary_sections`, `why_relevant`, `claim_impact`, or `next_action` in `papers.jsonl` to enrich this view.

Why It Surfaced

No ranking explanation is available yet.

Tags

No tags.

Similar Papers

Towards Agentic Investigation of Security Alerts 2026-04-28 · Score 9.8 General AI Beyond Distribution Sharpening: The Importance of Task Rewards 2026-04-17 · Score 13.3 General AI Generalizable Sparse-View 3D Reconstruction from Unconstrained Images 2026-04-30 · Score 7.2 General AI Agentic Federated Learning: The Future of Distributed Training Orchestration 2026-04-06 · Score 8.8 General AI Agentic Forecasting using Sequential Bayesian Updating of Linguistic Beliefs 2026-04-20 · Score 8.3 General AI

BibTeX

@article{david2026patch2vuln,
  title = {Patch2Vuln: Agentic Reconstruction of Vulnerabilities from Linux Distribution Binary Patches},
  author = {Isaac David and Arthur Gervais},
  year = {2026},
  abstract = {Security updates create a short but important window in which defenders and attackers can compare vulnerable and patched software. Yet in many operational settings, the most accessible artifacts are binary packages rather than source patches or advisory text. This paper asks whether a language-model agent, restricted to local binary-derived evidence, can reconstruct the security meaning of Linux distribution updates. Patch2Vuln is a local, resumable pipeline that extracts old/new ELF pairs, diff},
  url = {https://arxiv.org/abs/2605.06601},
  keywords = {cs.CR, cs.AI},
  eprint = {2605.06601},
  archiveprefix = {arXiv},
}

Metadata

{}