CWE-Trace Reveals LLMs Achieve Calibration Without Comprehension in Vulnerability Detection

A new study introduces CWE-Trace, a framework for LLM vulnerability detection built from 834 manually curated Linux kernel samples spanning 74 CWEs. The framework enforces a strict temporal split (pre-2025 historical set / post-cutoff leakage-free set) and preserves context-aware vulnerable–patched pairs, enabling rigorous evaluation of fine-tuned models.

The central finding is that fine-tuning produces what the authors call “calibration without comprehension”: output distributions shift to match training data while the underlying security reasoning remains absent. Fine-tuning shifts the output threshold without changing the decision policy. This is evidenced by stable systematic failure modes, with the Directional Failure Index (DFI) ranging from -85.5 to +94.8 percentage points, persisting from historical to post-cutoff data and resisting correction.

Data contamination provides no measurable advantage. Function-level analysis shows that 84% of nominally contaminated samples carry no usable memorization signal: vulnerable functions are absent or cross-mapped across datasets, and ~31% of contaminated samples carry CWE misclassification. The best detection score reaches only 52.1% (+2.1 pp above chance); exact CWE ranking remains below 1.3% Top-1 accuracy, confirming that current LLMs lack reliable security reasoning for systems software, regardless of fine-tuning strategy.

Interestingly, the weakest backbone at binary detection (DeepSeek-R1) gains the most in coarse CWE classification, revealing that detection and understanding are decoupled capabilities. This suggests that improving one metric does not imply improvement in the other.

These findings have direct implications for AI×crypto applications. On-chain vulnerability oracles relying on fine-tuned LLMs to audit smart contracts inherit the same failure modes, potentially missing nearly half of vulnerabilities. MEV and consensus-layer security tools using LLM-based agents may be evaded by adversarial inputs that exploit backbone directional priors. Zero-knowledge proof auditing, which requires precise classification of cryptographic bugs, is undermined by the <1.3% Top-1 CWE accuracy. Decentralized AI inference markets cannot infer reasoning quality from benchmark performance alone, as detection and understanding are decoupled. Finally, token-incentivized data-labeling markets cannot reliably price contamination risk, since contaminated samples carry weak memorization signals and frequent misclassifications.