Do Fine-Tuned LLMs Understand Vulnerabilities? An Investigation into the Semantic Trap

TL;DR

This paper investigates whether fine-tuned large language models truly understand software vulnerabilities or rely on superficial patterns, revealing a semantic trap that affects their reasoning and decision-making.

Contribution

The study introduces TrapEval, an evaluation framework, and identifies a semantic trap in fine-tuned LLMs, highlighting limitations of current fine-tuning methods in understanding vulnerabilities.

Findings

Vanilla SFT models perform well on unpaired data but fail on real-world paired data.

Explicit reasoning reduces symptoms but lowers recall and does not fully escape the trap.

Models still misinterpret control flow and hallucinate API behavior.

Abstract

Large Language Models (LLMs) have shown promising performance in software vulnerability detection, particularly after domain-specific Supervised Fine-Tuning (SFT). However, it remains unclear whether these models genuinely internalize vulnerability root causes or merely exploit surface-level functional patterns. While prior work documented related failures on pre-trained or zero-shot models, the SFT process itself, and how explicit reasoning supervision modulates it, remains under-explored. We study fine-tuned decoder-only LLMs under vanilla SFT and SFT with reasoning supervision, identifying a failure mode we term the Semantic Trap, characterized by three symptoms: pairing-sensitive performance, gap-dictated decisions, and fragility to semantic-preserving changes. To probe this, we propose TrapEval, an evaluation framework comprising two real-world datasets, V2P (vulnerable paired with patched code) and V2N (vulnerable paired with unrelated normal code), alongside semantic perturbations, CodeBLEU-based gap analysis, and an LLM-assisted reasoning failure taxonomy. Evaluating five representative LLMs fine-tuned with and without explicit reasoning (Chain-of-Thought), our results show vanilla SFT yields deceptively high scores on unpaired data (V2N) while failing all three symptoms. Models suffer high false-positive rates on V2P, degrade under perturbations, and exhibit a systematic dependency on the textual gap between vulnerable and patched code. Finetuning with explicit reasoning reduces these symptoms but costs recall; its lack of measurable gap-dependency partly reflects a floor effect rather than escaping the trap. Furthermore, our taxonomy reveals these models still misinterpret control flow and hallucinate API behavior, indicating current fine-tuning mitigates but does not eliminate reliance on surface features.