Security/ security · reinforcement-learning · static-analysis · c-cpp

RL for Bug Hunting in C/C++ Is Still Mostly Theoretical

A systematic review of 21 studies finds reinforcement learning has barely scratched the surface of actual vulnerability detection in C/C++ code.

Reinforcement learning has been applied to software security research for over a decade, yet almost none of that work targets the hardest part: finding real vulnerabilities.

Researchers conducting a PRISMA 2020-compliant review of the field examined 21 studies published between 2015 and 2026, drawn from major scientific databases. Of those, 15 focused on fuzzing and guided program exploration - the comparatively approachable task of generating inputs that crash software. Only 3 studies tackled direct vulnerability detection, and just one attempted to pinpoint the exact line of code where a flaw lives. The review also found that structurally rich code representations - Control Flow Graphs and Abstract Syntax Trees - are rarely used as inputs to RL agents, despite being standard tools in traditional static analysis.

This matters because C and C++ still underpin most operating systems, embedded firmware, and performance-critical infrastructure. Manual memory management in these languages creates an entire class of bugs - buffer overflows, use-after-free errors - that automated tools have struggled to catch reliably for years. If RL is going to close that gap, it needs to work at the source-code level, not just throw random inputs at a binary.

The review proposes a taxonomy to bring some order to a field where benchmarks are inconsistent enough that comparing results across papers is nearly impossible - which is itself a sign that the research is still in early-stage scatter, not convergence.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →