EPS
← All batches·2605.11015

DCVD: Dual-Channel Cross-Modal Fusion for Joint Vulnerability Detection and Localization

topic: othertop score: 100released: 2026-05-13first surfaced: 2026-05-13arXivPDFthreats2026-05-13

Authors: Wenxin Tang, Wenbin Li, Junliang Liu et al.

arXiv · PDF

Summary

DCVD is a vulnerability detection framework that jointly predicts whether a function is vulnerable (function-level detection) and pinpoints the specific vulnerable lines (statement-level localization). Most existing methods rely on a single information source (sequential, structural, or semantic) and treat localization as a byproduct of detection without explicit line-level supervision. DCVD extracts control-dependency and semantic features through two parallel branches, aligns them via contrastive learning and bidirectional cross-attention, and introduces explicit supervision at both function and statement levels for joint optimization. On a large-scale real-world benchmark it outperforms state-of-the-art methods on both tasks.

Main takeaways:

  • Vulnerability detection needs both function-level classification (is it vulnerable?) and statement-level localization (which lines are the problem?).
  • Existing methods use only one modality (sequential, structural, or semantic) and lack explicit line-level supervision.
  • DCVD runs two parallel branches (control-dependency and semantic features), aligns them with contrastive learning and bidirectional cross-attention, and supervises both function and statement levels jointly.
  • Outperforms state-of-the-art on both function-level detection and statement-level localization on a large-scale real-world vulnerability benchmark.
  • Code available at https://github.com/vinsontang1/DCVD.

Relevance

Not related to my persona or midtraining work—this is software security, not language-model behavior. Included because the dual-level supervision (coarse function label + fine statement label) is loosely analogous to how I might supervise both persona-level markers and token-level localization of where a behavior is installed, though the domain is completely different.

Threat model

Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation, limitations, benchmark.

Abstract

arXiv:2605.11015v1 Announce Type: new Abstract: Software vulnerability detection plays a critical role in ensuring system security, where real-world auditing requires not only determining whether a function is vulnerable but also pinpointing the specific lines responsible. However, existing approaches either rely on a single information source -- sequential, structural, or semantic -- failing to jointly exploit the complementary strengths across modalities, or treat statement-level localization merely as a byproduct of function-level detection without explicit line-level supervision. To address these limitations, we propose DCVD (Dual-Channel Cross-Modal Vulnerability Detection), a unified framework that performs joint function-level detection and statement-level localization. DCVD extracts control-dependency and semantic features through two parallel branches and integrates them via contrastive alignment coupled with bidirectional cross-attention, effectively bridging the cross-modal representation gap. It further introduces explicit supervision signals at both the function and statement levels, enabling collaborative optimization across the two granularities. Extensive experiments on a large-scale real-world vulnerability benchmark demonstrate that DCVD consistently outperforms state-of-the-art methods on both function-level detection and statement-level localization. Our code is available at https://github.com/vinsontang1/DCVD.