Protecting older versions of software often means backporting patches from newer versions. This is routine but tedious work, especially for large open source projects such as the Linux kernel. A new research effort has created a tool that uses a large language model to do this work automatically.
A team of researchers from China, the United States and Canada created PortGPT, an AI system designed to automate the process of migrating security patches from major branches to older software versions. They describe their method as an attempt to replicate the reasoning steps developers use when manually adapting patches.
PortGPT workflow
When old code needs new fixes
Open source projects maintain different branches to support long-term stability and users. When a bug or vulnerability is fixed in the main branch, maintainers should integrate that fix into stable, long-term support releases. This process, called backporting, can take time and often requires understanding how the code has changed between versions.
Developers typically compare versions, trace code history, and make adjustments to ensure compatibility. But as codebases grow, this process becomes more difficult to scale. Many projects rely on manual effort and expert knowledge, which slows patch delivery and can leave legacy systems exposed longer than necessary.
The PortGPT authors note that previous automation tools followed strict rules about syntax or structure and often failed when the code evolved in unexpected ways. Even small differences, such as renamed functions or moved files, could stop them. The team decided to build something that could think more like a human manager.
Teaching AI to think like a developer
PortGPT is built around a large language model that interacts with code through a set of specialized tools. These tools allow it to access source files, view code history, locate functions, and apply patches step by step.
The researchers observed how human developers handle backport tasks and then gave PortGPT similar functionality. For example, if the AI can’t find a feature in the old version, it can search the Git history to see when the feature was introduced or renamed. If a patch doesn’t compile, it can use compiler error messages to refine its work and try again.
Zhaoyang Li, one of the study’s co-authors, told Help Net Security that the goal was to bring a degree of reasoning and adaptability to patch automation that previous rules-based tools couldn’t achieve. “PortGPT integrates Git history mainly to improve the reliability and reasoning accuracy of LLM-based adaptation,” Li said.
Li added that this integration helps the system make smarter decisions about where and how to apply patches. By tracing historical changes, AI can align the most recent fixes with older versions of code, identifying renamed variables or moved logic that might otherwise cause failures.
The PortGPT process takes place in two stages. First, it adapts each part of the patch, called a “chunk”, to fit the target version. It checks if the change still applies, searches for relevant symbols, and gathers supported code snippets. Second, it combines all the relevant elements, applies the patch to the code base, and runs a build test. If there are errors, the system analyzes them and adjusts the fix.
This approach allows PortGPT to use context and comments rather than relying solely on predefined transformation rules. It can reason about relationships between codes, understand when code was moved, and infer missing details from repository history.
Numbers that tell a story
The team tested PortGPT on nearly two thousand patches from existing backport studies. It achieved an 89.15% success rate on these established datasets, outperforming other automated tools such as FIXMORPH and TSBPORT. On a more complex, self-constructed dataset of 146 complex cases in C, C++, and Go programs, the system succeeded in 62.33% of cases.
To check real-world performance, the researchers applied PortGPT to Linux and Ubuntu patches released after the training data deadline. On the stable Linux 6.1 branch, the tool managed to backport nine of the 18 fixes. All nine were subsequently accepted by the Linux community, demonstrating that the AI-generated patches met practical standards.
The team also performed testing on Ubuntu updates, backporting 10 of 16 fixes for several CVEs. These results suggest that PortGPT could help maintainers keep branches up to date in the long term, especially when human resources are limited.
Where AI still struggles
PortGPT’s strong results are based in part on the high-quality, structured data available in mature open source projects. Li noted that performance can drop when working with repositories that lack consistent validation information. “In our experiments, mainly focused on the Linux kernel, we have not encountered major problems since its validation metadata is generally of high quality,” he said. “In repositories with poor or inconsistent commit history, such as incomplete messages or overwritten commits, PortGPT performance may degrade due to missing or misleading contextual information.”
He added that this limitation is not unique to AI. “This limitation is, in fact, similar to that faced by human maintainers, because poor historical commit records often make backporting tasks more difficult and less reliable,” Li said.
Why it works when others fail
Unlike rule-based systems, PortGPT treats code backporting as a reasoning problem. It uses the language model’s ability to interpret code context and respond to comments from validation tools. The system can access and summarize Git differences, track feature changes between versions, and use compiler comments to fix errors.
The researchers also designed mechanisms to detect when a patch cannot be applied directly. If a file’s path has changed, PortGPT searches for renamed or similar files. If the context lines don’t match, it calculates the closest block of code using an edit distance metric. Only after several failed attempts does it automatically correct the context lines and try again.
What this means for software security
Although PortGPT is still in research, its success suggests how AI could change patch management for open source software. Automating backporting could reduce the time between vulnerability disclosure and patch availability for older systems. It could also help security teams that rely on long-term support distributions stay up to date without heavy manual workloads.
The work also highlights a broader trend toward using large language models as autonomous agents for software maintenance. By integrating code understanding, version control awareness, and feedback loops, tools like PortGPT show how AI can participate in real development workflows.
