Keeping older software versions secure often means backporting patches from newer releases. It is a routine but tedious job, especially for large open-source projects such as the Linux kernel. A new research effort has built a tool that uses a large language model to do that work automatically.
A team of researchers from China, the United States, and Canada created PortGPT, an AI system designed to automate the process of migrating security patches from mainline branches to older versions of software. They describe their method as an attempt to replicate the reasoning steps that developers use when they manually adapt patches.
Workflow of PortGPT
When old code needs new fixes
Open-source projects maintain different branches to support stability and long-term users. When a bug or vulnerability is fixed in the main branch, maintainers must bring that fix into stable and long-term support versions. This process, called backporting, can take time and often requires understanding how code has changed between versions.
Developers normally compare versions, trace code history, and make adjustments to ensure compatibility. But as codebases grow, this process becomes harder to scale. Many projects rely on manual effort and expert knowledge, which slows down patch delivery and can leave older systems exposed longer than necessary.
PortGPT’s authors note that earlier automation tools followed strict rules for syntax or structure and often failed when code evolved in unexpected ways. Even small differences, such as renamed functions or moved files, could stop them. The team set out to build something that could reason more like a human maintainer.
Teaching AI to think like a developer
PortGPT is built around a large language model that interacts with code through a set of specialized tools. These tools allow it to access source files, view code history, locate functions, and apply patches step by step.
The researchers observed how human developers handle backporting tasks and then gave PortGPT similar capabilities. For example, if the AI cannot find a function in the older version, it can search the Git history to see when the function was introduced or renamed. If a patch does not compile, it can use the compiler error messages to refine its work and try again.
Zhaoyang Li, one of the study’s co-authors, told Help Net Security that the goal was to bring a degree of reasoning and adaptability to patch automation that previous rule-based tools could not achieve. “PortGPT integrates Git history primarily to enhance the reliability and reasoning accuracy of LLM-based adaptation,” Li said.
Li added that this integration helps the system make smarter decisions about where and how to apply patches. By tracing historical changes, the AI can align newer patches with older versions of code, identifying renamed variables or relocated logic that might otherwise cause failures.
PortGPT’s process happens in two stages. First, it adapts each part of the patch, known as a “hunk,” to fit the target version. It checks whether the change still applies, looks up relevant symbols, and gathers supporting code snippets. Second, it combines all adapted hunks, applies the patch to the codebase, and runs a compilation test. If there are errors, the system analyzes them and adjusts the patch.
This approach allows PortGPT to use context and feedback rather than rely only on predefined transformation rules. It can reason about code relationships, understand when code has moved, and infer missing details from the repository’s history.
Numbers that tell the story
The team tested PortGPT on nearly two thousand patches from existing backporting studies. It achieved an 89.15 percent success rate on these established datasets, outperforming other automated tools such as FIXMORPH and TSBPORT. On a harder, self-built dataset of 146 complex cases across C, C++, and Go programs, the system succeeded in 62.33 percent of cases.
To check real-world performance, the researchers applied PortGPT to Linux and Ubuntu patches released after the training data cutoff. On the Linux 6.1 stable branch, the tool successfully backported nine out of 18 patches. All nine were later accepted by the Linux community, showing that the AI-generated patches met practical standards.
The team also ran tests on Ubuntu updates, backporting 10 out of 16 patches for multiple CVEs. These results suggest that PortGPT could assist maintainers in keeping long-term branches up to date, especially when human resources are limited.
Where AI still struggles
PortGPT’s strong results rely in part on the structured, high-quality data available in mature open-source projects. Li noted that performance might drop when working with repositories that lack consistent commit information. “In our experiments, which mainly focused on the Linux kernel, we did not encounter significant issues since its commit metadata is generally of high quality,” he said. “In repositories with poor or inconsistent commit history, such as incomplete messages or squashed commits, PortGPT’s performance may degrade due to missing or misleading contextual information.”
He added that this limitation is not unique to AI. “This limitation is, in fact, similar to what human maintainers experience, since poor historical commit records often make backporting tasks more difficult and less reliable,” Li said.
Why it works when others fail
Unlike rule-based systems, PortGPT treats code backporting as a reasoning problem. It uses the language model’s ability to interpret code context and respond to feedback from validation tools. The system can access and summarize Git diffs, trace function changes across versions, and use compiler feedback to fix mistakes.
The researchers also designed mechanisms to detect when a patch cannot be applied directly. If a file path has changed, PortGPT looks for renamed or similar files. If context lines do not match, it calculates the closest code block using an edit-distance measure. Only after several failed attempts does it automatically correct context lines and try again.
What this means for software security
While PortGPT is still research, its success hints at how AI could change patch management for open-source software. Automating backporting could reduce the time between vulnerability disclosure and patch availability for older systems. It might also help security teams who depend on long-term support distributions keep them current without large manual workloads.
The work also highlights a broader trend toward using large language models as autonomous agents for software maintenance. By integrating code comprehension, version control awareness, and feedback loops, tools like PortGPT show how AI can participate in real development workflows.
