Existing vulnerability analysis methods typically reduce the problem to static classification, limiting their ability to support context-sensitive and interpretable security reasoning. To address this, we propose VulMLM—the first multimodal large language model specifically designed for vulnerability reasoning—capable of fine-grained vulnerability localization, attribution, and question answering via joint modeling of source code and security-semantic queries within a unified representation space. VulMLM integrates code embeddings, natural language understanding, and security-focused instruction tuning. We further introduce VulQA, the first real-world benchmark dataset for vulnerability-oriented question answering. Extensive experiments demonstrate that VulMLM significantly outperforms both general-purpose and code-specialized large language models on vulnerability detection and security question-answering tasks, achieving superior accuracy while maintaining strong interpretability.

Increasing complexity in software systems places a growing demand on reasoning tools that unlock vulnerabilities manifest in source code. Many current approaches focus on vulnerability analysis as a classifying task, oversimplifying the nuanced and context-dependent real-world scenarios. Even though current code large language models (LLMs) excel in code understanding, they often pay little attention to security-specific reasoning. We propose LLaVul, a multimodal LLM tailored to provide fine-grained reasoning about code through question-answering (QA). Our model is trained to integrate paired code and natural queries into a unified space, enhancing reasoning and context-dependent insights about code vulnerability. To evaluate our model performance, we construct a curated dataset of real-world vulnerabilities paired with security-focused questions and answers. Our model outperforms state-of-the-art general-purpose and code LLMs in the QA and detection tasks. We further explain decision-making by conducting qualitative analysis to highlight capabilities and limitations. By integrating code and QA, LLaVul enables more interpretable and security-focused code understanding.