Redazione RHC : 7 October 2025 15:27
It would be fantastic to have an AI agent capable of automatically analyzing our projects’ code, identifying security bugs, generating fixes, and immediately releasing them into production. Yet, it seems we’ll have to get used to this idea: artificial intelligence promises that all this is no longer science fiction, but an approaching reality.
Google DeepMind has unveiled CodeMender , a new artificial intelligence agent designed to automatically find and fix vulnerabilities in software code. According to the company’s official blog , the system combines the capabilities of Gemini Deep Think’s large language models with a set of tools for patch analysis and validation, enabling bug fixes to be made faster and more accurately than traditional methods.
Developers point out that, even using tools like OSS-Fuzz and Big Sleep , manually patching vulnerabilities remains a laborious process. CodeMender addresses this problem comprehensively: not only does it respond to new issues by automatically creating patches, but it also proactively rewrites code fragments, eliminating entire classes of vulnerabilities.
Over the past six months, the DeepMind team has contributed 72 security patches to open source projects. These include libraries totaling over 4.5 million lines of code. All changes are reviewed for correctness and style before being submitted to human review.
CodeMender leverages Gemini models to analyze program logic, analyze code behavior, and automatically verify the results. The agent can also verify that the patch addresses the root cause of the vulnerability and does not cause regressions.
To make the process reliable, DeepMind has implemented new analysis methods: static and dynamic analysis, differential testing, fuzzing, and SMT solvers. Furthermore, CodeMender is based on a multi-agent system, with individual modules specialized in different aspects of code review, from change comparison to self-correction.
In one example, CodeMender fixed a buffer overflow in the XML parser by identifying an error in element stack management, rather than the actual location of the crash. In another case, the agent proposed a complex fix related to the object lifecycle and C code generation within the project.
CodeMender is also able to rewrite existing code using more secure data structures and APIs. For example, the agent automatically added -fbounds-safety annotations to the libwebp library to prevent buffer overflows. This library was previously affected by the critical vulnerability CVE-2023-4863, used in the NSO Group iPhone exploit . Researchers estimate that with the new annotations, such attacks will no longer be possible.
The agent not only applies patches, but also automatically tests them, fixing new errors and verifying their functional compliance with the source code. If inconsistencies are detected, the system uses an “LLM judge” to correct the patch without human intervention.
For now, DeepMind is maintaining a cautious stance: all changes are subject to mandatory manual review. However, CodeMender is already helping improve the security of dozens of popular open source projects. The company intends to expand its community involvement and make the tool available to all developers in the future.
The developers promise to publish technical reports and articles on the approaches used in CodeMender in the coming months. They say the project is only just beginning to exploit the potential of artificial intelligence in software security.
Redazione