Existing large language model (LLM)-based vulnerability repair approaches struggle to effectively integrate structured security knowledge from sources such as CWE and NVD, limiting their repair performance. This work proposes VulKey, a novel framework that explicitly models expert repair strategies as a three-level hierarchical repair pattern—encompassing CWE type, syntactic actions, and semantic key elements—and employs a two-stage process: first matching the appropriate repair pattern and then guiding fine-tuned LLMs to generate precise patches. By synergistically combining generality with semantic richness, VulKey overcomes the limitations of conventional template-based and few-shot learning methods. Experimental results demonstrate that VulKey achieves a repair accuracy of 31.5% on PrimeVul, substantially outperforming the best baseline at 7.6%, and establishes a new state-of-the-art in cross-language performance on the Java benchmark Vul4J.

The increasing prevalence of software vulnerabilities highlights the need for effective Automatic Vulnerability Repair (AVR) tools. While LLM-based approaches are promising, they struggle to incorporate structured security knowledge from sources like CWE and NVD. Current methods either use this information superficially by concatenating the CWE-ID into the input prompt, yielding negligible benefits, or rely on few-shot learning with rigid, non-generalizable examples, which limits their effectiveness in real-world scenarios. To address this gap, we propose VulKey, an LLM-based AVR framework that leverages a hierarchical abstraction of expert knowledge to guide patch generation. Our novel three-level abstraction formulates repair strategies in terms of CWE type, syntactic actions, and semantic key elements. This approach captures the essence of a security fix with greater generality than concrete examples and more semantic richness than traditional syntax-based templates, overcoming the coverage limitations of prior methods. VulKey is implemented as a two-stage pipeline: first, expert knowledge matching predicts an appropriate repair pattern for the vulnerability; second, repair code generation uses a pattern-guided, fine-tuned LLM to produce secure patches. On the real-world C/C++ dataset PrimeVul, VulKey achieves 31.5% repair accuracy, surpassing the best baseline by 7.6% and outperforming leading tools such as VulMaster and GPT-5. Moreover, VulKey demonstrates cross-language and cross-model generalizability, with state-of-the-art performance on the Java benchmark Vul4J. These results underscore the importance of structured expert knowledge in advancing AVR effectiveness. Our work demonstrates that explicitly modeling and integrating expert security knowledge through hierarchical patterns is a crucial step toward building more effective and reliable AVR tools.