This work addresses the challenge of simultaneously achieving function-level vulnerability detection and statement-level localization, a task hindered by the lack of effective fusion of multimodal code features and fine-grained supervision. To this end, we propose a dual-channel parallel framework that separately models control dependence graphs and code semantic embeddings, aligning and integrating these modalities through contrastive learning and bidirectional cross-attention mechanisms. Explicit multi-granularity supervision is introduced at both function and statement levels, enabling, for the first time, joint optimization of the two tasks. Experimental results on large-scale real-world vulnerability benchmarks demonstrate that our approach significantly outperforms current state-of-the-art methods.

Software vulnerability detection plays a critical role in ensuring system security, where real-world auditing requires not only determining whether a function is vulnerable but also pinpointing the specific lines responsible. However, existing approaches either rely on a single information source -- sequential, structural, or semantic -- failing to jointly exploit the complementary strengths across modalities, or treat statement-level localization merely as a byproduct of function-level detection without explicit line-level supervision. To address these limitations, we propose DCVD (Dual-Channel Cross-Modal Vulnerability Detection), a unified framework that performs joint function-level detection and statement-level localization. DCVD extracts control-dependency and semantic features through two parallel branches and integrates them via contrastive alignment coupled with bidirectional cross-attention, effectively bridging the cross-modal representation gap. It further introduces explicit supervision signals at both the function and statement levels, enabling collaborative optimization across the two granularities. Extensive experiments on a large-scale real-world vulnerability benchmark demonstrate that DCVD consistently outperforms state-of-the-art methods on both function-level detection and statement-level localization. Our code is available at https://github.com/vinsontang1/DCVD.