Existing automated vulnerability management approaches struggle to model cross-function or cross-module contextual dependencies and often overlook the utility of historical vulnerability knowledge in addressing recurring flaws. To address these limitations, this work proposes MAVM, a novel multi-agent end-to-end framework that uniquely integrates a multi-agent architecture with a vulnerability knowledge base. By leveraging a context-retrieval tool to circumvent the input-length constraints of large language models, MAVM systematically orchestrates the entire vulnerability lifecycle—from detection and confirmation to repair and validation. Evaluated on a benchmark of 78 real-world patch backporting cases, MAVM successfully repaired 51 vulnerabilities, achieving a repair accuracy improvement of 31.9%–45.2% over baseline methods and substantially enhancing the efficacy of detecting and fixing recurrent vulnerabilities.

Software vulnerability management has become increasingly critical as modern systems scale in size and complexity. However, existing automated approaches remain insufficient. Traditional static analysis methods struggle to precisely capture contextual dependencies, especially when vulnerabilities span multiple functions or modules. Large language models (LLMs) often lack the ability to retrieve and exploit sufficient contextual information, resulting in incomplete reasoning and unreliable outcomes. Meanwhile, recurring vulnerabilities emerge repeatedly due to code reuse and shared logic, making historical vulnerability knowledge an indispensable foundation for effective vulnerability detection and repair. Nevertheless, prior approaches such as clone-based detection and patch porting, have not fully leveraged this knowledge. To address these challenges, we present MAVM, a multi-agent framework for end-to-end recurring vulnerability management. MAVM integrates five components, including a vulnerability knowledge base, detection, confirmation, repair, and validation, into a unified multi-agent pipeline. We construct a knowledge base from publicly disclosed vulnerabilities, thereby addressing the underuse of historical knowledge in prior work and mitigating the lack of domain-specific expertise in LLMs. Furthermore, we design context-retrieval tools that allow agents to extract and reason over repository-level information, overcoming the contextual limitations of previous methods. Based on agents, MAVM effectively simulates real-world security workflows. To evaluate the performance of MAVM, we construct a dataset containing 78 real-world patch-porting cases (covering 114 function-level migrations). On this dataset, MAVM successfully detects and repairs 51 real vulnerabilities, outperforming baselines by 31.9%-45.2% in repair accuracy, which demonstrates its effectiveness.