CVE disclosures trigger an immediate race between attackers who leverage patches to search for vulnerability variants and defenders who attempt to harden their systems. Static analysis frameworks such as CodeQL can, in principle, automate variant detection, but writing correct, high-signal CodeQL queries remains a a challenging and specialist skill . We introduce DNA, an automated pipeline that transforms CVE information and patch diffs into candidate CodeQL queries in order to perform variant analysis and iteratively repair them using compiler/LSP feedback. DNA targets a key failure mode of LLM-based CodeQL synthesis symbol hallucination via a hybrid repair loop: (i) a deterministic Auto-Fixer that corrects frequent, systematic API mistakes, and (ii) an LSP-guided refinement step grounded by a RAG over version matched CodeQL documentation. We evaluate DNA on 11 CVEs across different well-known OpenSource projects, including Expat, VLC, FFmpeg, and React. Across 54 fully autonomous runs, DNA improves the end-to-end query compilation rate from 12.0% (naive prompting) to 44.4% (hybrid repair). On the subset of queries that compile, DNA surfaces candidate variant locations that require human triage; we present detailed success/failure analyses and discuss why macro-heavy C/C++ codebases remain challenging. Finally, we include a case study on CVE-2025-55182 (“React2Shell”), a critical pre-authentication RCE in React Server Components. We show how DNA, seeded only with public patch and advisory context, generates an executable query that narrows the search space to a small set of production-relevant candidate code paths consistent with the disclosed vulnerability mechanism; one previously unknown candidate which we reported upstream and its technical validity was confirmed.
European Workshop on Systems Security
2026-04-27
2026-05-09