Calibration Without Comprehension: Diagnosing the Limits of Fine-Tuning LLMs for Vulnerability Detection in Systems Software
- company Hugging Face
- lab arXiv
- location Linux
- person Arastoo Zibaeirad
- product DagsHub
- product GotitPub
- product ScienceCast
- product alphaXiv
Fine-tuning large language models on vulnerability data does not improve their security reasoning for systems software, according to a study that introduced a new evaluation framework called CWE-Trace. The research found models merely adapt their output distributions to training data without developing genuine comprehension of software flaws [1]. The study, submitted to arXiv on 18 June 2026, evaluated eight vanilla LLMs and 15 LoRA fine-tuned variants across three tasks: non-targeted detection, targeted detection, and CWE classification [1][2]. The CWE-Trace framework was built from 834 manually curated Linux kernel samples spanning 74 Common Weakness Enumeration categories [1][2]. It enforces a strict temporal split between pre-2025 historical data and post-cutoff leakage-free data, preserving context-aware vulnerable-to-patched pairs [2]. Two diagnostic metrics were introduced: the Directional Failure Index and Hierarchical Distance and Direction [2]. The DFI measures systematic failure modes, with values ranging from -85.5 to +94.8 percentage points across models [1][2]. These failure patterns persisted from historical to post-cutoff data and resisted correction through fine-tuning [2]. Data contamination provided no measurable advantage, the researchers found. Function-level analysis showed that 84% of nominally contaminated samples carried no usable memorization signal, as vulnerable functions were absent or cross-mapped across datasets [1][2]. Approximately 31% of contaminated samples carried CWE misclassification [1][2]. The best detection score reached only 52.1%, just 2.1 percentage points above chance, while exact CWE ranking remained below 1.3% Top-1 accuracy [1][2]. The weakest backbone at binary detection, DeepSeek-R1, gained the most in coarse CWE classification, revealing that detection and understanding are decoupled capabilities [1][2]. DeepSeek-R1, developed by the Chinese AI company DeepSeek founded in July 2023, is an open-weight model that provided responses comparable to OpenAI's GPT-4 and o1 at reportedly lower training costs [8]. "Fine-tuning shifts the output threshold without changing the decision policy," the authors wrote. "This is calibration without comprehension: output distributions adapt to training data while the underlying security reasoning remains absent" [2]. The findings confirm that current LLMs lack reliable security reasoning for systems software, regardless of fine-tuning strategy [1][2].
research-papertool-releasecommentarymodel-releaseregulation
Background sources we checked (9)
- arxiv.org ↗ Whether LLMs scoring well on vulnerability benchmarks genuinely reason about security or merely pattern-match on contaminated data remains unresolved. We present CWE-Trace, a framework for LLM vulnerability detection built from 834 manually curated Linux kernel samples spanning 7…
- en.wikipedia.org ↗ This article presents a detailed timeline of events in the history of computing from 2020 to the present. For narratives explaining the overall developments, see the history of computing. Significant events in computing include events relating directly or indirectly to software, …
- arxiv.org ↗ We review thirteen generative systems and five supporting datasets for quantum circuit and quantum code generation, identified through a structured scoping review of Hugging Face, arXiv, and provenance tracing (January-February 2026). We organize the field along two axes: artifac…
- huggingface.co ↗ # Paper Pages Paper pages allow people to find artifacts related to a paper such as models, datasets and apps/demos (Spaces). Paper pages also enable the community to discuss about the paper. ## Linking a Paper to a model, dataset or Space If the repository card (`README.md`) …
- huggingface.co ↗ # How to Add a Space to ArXiv ... Demos on Hugging Face Spaces allow a wide audience to try out state-of-the-art machine learning research without writing any code. Hugging Face and ArXiv have collaborated to embed these demos directly along side papers on ArXiv! ... Thanks to th…
- huggingface.co ↗ Daily Papers - Hugging Face new Get trending papers in your email inbox once a day! Get trending papers in your email inbox! Subscribe # Daily Papers ## byAK and the research community - Daily - Weekly - Monthly Trending Papers https://huggingface.co/papers/date/2026-06-…
- en.wikipedia.org ↗ Hangzhou DeepSeek Artificial Intelligence Basic Technology Research Co., Ltd., doing business as DeepSeek, is a Chinese artificial intelligence (AI) company that develops large language models (LLMs). Based in Hangzhou, Zhejiang, DeepSeek is owned and funded by High-Flyer, a Chin…
- en.wikipedia.org ↗ A large language model (LLM) is a type of machine learning model designed for natural language processing tasks such as language generation. LLMs are language models with many parameters, and are trained with self-supervised learning on a vast amount of text.…
- en.wikipedia.org ↗ Qwen (also known as Tongyi Qianwen, Chinese: 通义千问; pinyin: Tōngyì Qiānwèn) is a family of large language models developed by Alibaba Cloud. Many Qwen models are distributed under the free and open-source Apache 2.0 license, the source-available Qwen License, or the non-commercial…
Sources covering this (2)
- export.arxiv.org — Calibration Without Comprehension: Diagnosing the Limits of Fine-Tuning LLMs for Vulnerability Detection in Systems Software ↗
- export.arxiv.org — Calibration without labels in multiple testing · Global