To address the misalignment in vulnerability prioritization caused by vulnerability discovery outpacing remediation, this paper proposes a novel exploitability-driven vulnerability assessment paradigm centered on attacker “controllability” over vulnerability parameters. We introduce the concept of *Domains of Control*—a first-of-its-kind abstraction that overcomes limitations of traditional taint analysis and quantitative control modeling. Our *Shrink and Split* algorithm integrates threat models and expert knowledge to automatically extract and weight-quantify controllable value sets. The method unifies symbolic execution, path constraint solving, controllability-aware semantic modeling, and automated visual parsing. Experimental evaluation demonstrates precise discrimination among highly similar CVEs (e.g., CVE-2019-14192 vs. CVE-2022-30552), correction of human misjudgments (e.g., CVE-2022-30790), and end-to-end automation of the vulnerability assessment pipeline.

As bug-finding methods improve, bug-fixing capabilities are exceeded, resulting in an accumulation of potential vulnerabilities. There is thus a need for efficient and precise bug prioritization based on exploitability. In this work, we explore the notion of control of an attacker over a vulnerability's parameters, which is an often overlooked factor of exploitability. We show that taint as well as straightforward qualitative and quantitative notions of control are not enough to effectively differentiate vulnerabilities. Instead, we propose to focus analysis on feasible value sets, which we call domains of control, in order to better take into account threat models and expert insight. Our new Shrink and Split algorithm efficiently extracts domains of control from path constraints obtained with symbolic execution and renders them in an easily processed, human-readable form. This in turn allows to automatically compute more complex control metrics, such as weighted Quantitative Control, which factors in the varying threat levels of different values. Experiments show that our method is both efficient and precise. In particular, it is the only one able to distinguish between vulnerabilities such as cve-2019-14192 and cve-2022-30552, while revealing a mistake in the human evaluation of cve-2022-30790. The high degree of automation of our tool also brings us closer to a fully-automated evaluation pipeline.