Root-Cause-Driven Automated Vulnerability Repair

TL;DR

Kumushi is a root-cause-driven automated vulnerability repair system that improves patch quality by focusing on the defect's origin, evaluated with a novel two-tier metric on 178 vulnerabilities.

Contribution

The paper introduces Kumushi, a new repair agent combining dynamic fault localization and evidence-weighted ranking to produce more genuine root-cause fixes.

Findings

Kumushi outperforms prior repair agents in automated evaluation.

Kumushi produces more root-cause fixes and fewer superficial patches.

Expert assessment favors Kumushi in most comparisons.

Abstract

Recent LLM-based systems have made automated vulnerability repair increasingly practical, but two challenges remain. First, without strong signals about where a bug originates, repair agents drift toward shallow edits that silence the observed failure while leaving the underlying defect unresolved. Second, finding the root cause for bugs is hard: even developers familiar with the codebase frequently produce fixes that address symptoms rather than the root cause, and LLM-based agents, operating with noisier context and less program understanding, are no exception. We present Kumushi, a root-cause-driven patching agent that addresses both challenges by combining diversified dynamic fault localization with evidence-weighted ranking to focus the LLM on the code most relevant to the defect. To rigorously measure whether Kumushi produces genuinely better patches, we also introduce a two-tier patch quality metric that pairs automated oracle validation with structured expert assessment of patches. Evaluated on 178 C/C++ vulnerabilities, Kumushi substantially outperforms prior specialized repair agents under automated evaluation while matching a frontier commercial coding agent. Expert assessment then reveals differences that oracles cannot: Kumushi produces more root-cause fixes and fewer superficial patches, and is preferred in the majority of decisive pairwise comparisons. Together, these results demonstrate that progress in automated vulnerability repair requires not only stronger patching systems, but also richer evaluation methods capable of distinguishing genuine fixes from oracle-passing ones.