Google DeepMind has introduced CodeMender, an experimental AI agent capable of autonomously detecting and fixing vulnerabilities in software code.
The system combines the capabilities of Gemini Deep Think models with static and dynamic analysis, fuzzing testing, and symbolic modeling. Thanks to this, CodeMender not only reacts to found problems, but also rewrites code fragments, eliminating entire classes of errors.
Despite its research project status, the agent has already submitted 72 fixes to open repositories, covering over 4.5 million lines of code. One example is the addition of -fbounds-safety annotations to the libwebp library, which was used in a zero-click attack on iOS in 2023. According to the researchers, this makes such buffer overflows "permanently unexploitable."
Before sending out patches, CodeMender undergoes a multi-level review: changes are evaluated by an "LLM judge," a self-correction system eliminates errors, and the final decision is made by DeepMind researchers. The company emphasizes that all fixes undergo a human audit.
DeepMind plans to expand its collaboration with open-source project owners and eventually make CodeMender available to developers as a tool for protecting large codebases. If that happens, the approach could become an alternative to traditional methods like static analysis or fuzzing, which require significant human intervention.