CodeMender: an AI agent for code security (deepmind.google)

Google Research announced CodeMender, an AI-powered agent that automatically finds, diagnoses, and patches security vulnerabilities in real-world code. Built on Gemini Deep Think models, CodeMender has already upstreamed 72 security fixes across large open-source projects and works both reactively (instantly patching new flaws) and proactively (rewriting code to eliminate entire classes of bugs). Notable examples include diagnosing a non-obvious XML parsing root cause behind a heap overflow and producing non-trivial fixes for object lifetime issues, as well as applying -fbounds-safety annotations to libwebp to render many buffer overflows unexploitable. Technically, CodeMender pairs LLM reasoning with heavy-weight program-analysis tooling—static and dynamic analysis, differential testing, fuzzing, SMT solvers—plus a debugger and source-browser. It uses a multi-agent architecture (specialized agents for critique, patching, testing) and automated validation capabilities (including an LLM judge for functional equivalence) to ensure patches fix root causes, avoid regressions, and conform to style. Because mistakes in security patches are high-cost, all generated patches are currently human-reviewed and the team is ramping up interactions with maintainers while preparing technical papers. For the AI/ML community, CodeMender demonstrates scalable, integrated LLM+formal-tool pipelines that move beyond vulnerability discovery to reliable, automated remediation—while highlighting the need for rigorous validation and human oversight.