This new AI agent is built to autonomously find and fix software vulnerabilities.
Google has introduced CodeMender, a new artificial intelligence agent designed to automatically detect and patch software vulnerabilities.
This is a step that could redefine how developers secure codebases across the open-source ecosystem.
According to Google DeepMind’s blog, traditional tools like fuzzers and scanners can uncover flaws in code but often leave developers with the time-consuming task of creating and verifying patches. CodeMender, powered by Google’s Gemini Deep Think models, takes this process several steps further: it not only identifies vulnerabilities but also fixes them autonomously.
The system operates both reactively — patching new security flaws as they appear — and proactively, by rewriting existing code to eliminate entire classes of vulnerabilities. Over the past six months, CodeMender has already contributed 72 security fixes to major open-source projects, including some spanning over 4.5 million lines of code.
“By automatically creating and applying high-quality security patches, CodeMender allows developers to focus on what they do best—building great software,” the researchers said.
CodeMender’s has the ability to reason about code and validate its changes. The AI uses a suite of analysis tools — static and dynamic analysis, fuzzing, symbolic execution, and SMT solvers — to detect the root cause of bugs. Once a patch is generated, CodeMender automatically validates it to ensure it fixes the issue without introducing regressions.
The agent employs a multi-agent system approach: specialized sub-agents focus on critique, regression testing, and self-correction. One of these agents compares the modified and original code, ensuring that no new problems are introduced and that the patch conforms to style and performance standards.
In one test, CodeMender traced a heap buffer overflow to incorrect stack management of XML elements — a subtle bug that would have been difficult to locate manually. In another, it generated a non-trivial patch for a complex C code generator, demonstrating its ability to reason through custom architectures.
Beyond reactive fixes, CodeMender also improves existing code security by automatically introducing safer programming constructs. For instance, it successfully applied -fbounds-safety annotations to Google’s widely used libwebp image compression library — effectively preventing buffer overflow exploits like the one linked to the CVE-2023-4863 zero-click iOS attack.
Despite its autonomy, Google says it is taking a measured approach to CodeMender’s rollout. Every AI-generated patch currently undergoes human review before being submitted upstream to open-source repositories. Several of these patches have already been accepted and merged.
The research team plans to collaborate with open-source maintainers to expand adoption and refine the technology. They also intend to publish additional technical papers detailing CodeMender’s inner workings and results.
Google reckons CodeMender represents a growing trend in AI-driven software engineering — where intelligent agents not only assist with development but actively enhance the security and resilience of global code infrastructure.
Some could argue that AI has the potential to make software safer for everyone, while others may point out that more job cuts will be on the way.
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
