Google DeepMind Launches ‘CodeMender’ — An AI Agent That Fixes Software Vulnerabilities Automatically
CodeMender can generate, validate, and apply high-quality security fixes.
DeepMind today introduced CodeMender, an AI-powered agent designed to autonomously detect, patch, and proactively secure codebases against vulnerabilities.
Unlike conventional tools that only flag flaws, CodeMender can generate, validate, and apply high-quality security fixes — helping developers focus on building rather than patching.
"CodeMender helps solve this problem by taking a comprehensive approach to code security that’s both reactive, instantly patching new vulnerabilities, and proactive, rewriting and securing existing code and eliminating entire classes of vulnerabilities in the process," the company said.
Built on Gemini Deep Think models, CodeMender is capable of reasoning about code, identifying root causes, and deploying patches with built-in validation checks. Over the past six months, it has already contributed 72 security fixes to open-source projects, including codebases as large as 4.5 million lines.
Excited to share early results about CodeMender, our new AI agent that automatically fixes critical software vulnerabilities. AI could be a huge boost for developer productivity and security. Amazing work from the team - congrats!
— Demis Hassabis (@demishassabis) October 7, 2025
CodeMender operates via a tool-augmented workflow: it uses advanced programme analysis techniques — from static and dynamic analysis to fuzzing, differential testing, and SMT solvers — along with multi-agent critique modules to ensure patches don’t introduce regressions. Only the most vetted patches are surfaced for human review.
DeepMind describes the approach as both reactive (patching new vulnerabilities) and proactive (rewriting code to prevent entire classes of security flaws). One showcased example involved applying -fbounds-safety annotations to libwebp, which could have thwarted a prior buffer overflow exploit (CVE-2023-4863).
DeepMind emphasises that CodeMender’s deployment is cautious. All proposed patches undergo human review, and its rollout to open-source maintainers is gradual.
Recently, AI startup Anthropic published new research which shows Claude Sonnet 4.5 outperformed its predecessor Opus 4.1 in detecting vulnerabilities, patching code, and analyzing system security — even surpassing human teams in some cybersecurity competitions.
Comments ()