A large language model-based analysis of vulnerability discovery in windows software

Puya Pakshad; Samson Quaye; Jamal Al-Karaki; Marwan Omar; Maurice E. Dawson

doi:10.2478/ijmce-2026-0019

.blurhash-client-img { display: none !important; }

A large language model-based analysis of vulnerability discovery in windows software

International Journal of Mathematics and Computer in Engineering

AHEAD OF PRINT

By: Puya Pakshad, Samson Quaye, Jamal Al-Karaki, Marwan Omar and Maurice E. Dawson

Open Access

|Jun 2026

Abstract

Source code security auditing is essential before software release in order to identify programming faults that may lead to vulnerabilities and functional failures. In this paper, we present a structured security assessment of the Windows App SDK by integrating multiple static analysis tools with a context-aware and disagreement-aware Large Language Model (LLM) interpretation layer. Although static analyzers are effective in reporting potential weaknesses, their raw outputs often contain redundant alerts, limited contextual explanation, and inconsistent severity assignments. To address these limitations, the proposed LLM-based interpretation layer normalizes and de-duplicates alerts, filters context-limited or nonactionable warnings, and refines severity prioritization under inter-tool disagreement without introducing new vulnerability discoveries. Experimental results show the security findings before and after LLM-based interpretation. In particular, the proposed framework reduces static-analysis alerts by 62.5%. In addition, disagreement-aware severity refinement eliminates over-prioritized critical findings and improves prioritization by reducing Medium findings from 11 to 7 and Low findings from 42 to 28. These results demonstrate the potential of LLM-based interpretation to reduce noise in static-analysis outputs and improve vulnerability prioritization for practical security assessment.

References

Cusumano M.A., Selby R.W., Microsoft Secrets: How the World's Most Powerful Software Company Creates Technology, Shapes Markets, and Manages People, Simon and Schuster, USA, 1998.
Search in Google Scholar Back to article
Microsoft Documentation., Visual Basic docs: Get Started, Tutorials, Reference, https://learn.microsoft.com/en-us/dotnet/visual-basic/, Accessed: January 1, 2024.
Search in Google Scholar Back to article
MacMichael D., What's New in Windows App SDK 1.6, Windows Developer Blog, https://blogs.windows.com/windowsdeveloper/2024/09/04/whats-new-in-windows-app-sdk-1-6/, Accessed: September 4, 2024.
Search in Google Scholar Back to article
ComponentOne., WinUI vs WPF, WinForms, UWP, and MFC, https://developer.mescius.com/blogs/winui-vs-wpf-winforms-uwp-and-mfc, Accessed: October 3, 2023.
Search in Google Scholar Back to article
Microsoft Documentation., Windows UI library (WinUI), https://learn.microsoft.com/en-us/windows/apps/winui/, Accessed: January 1, 2024.
Search in Google Scholar Back to article
Microsoft Documentation., Introduction to C++/WinRT, https://learn.microsoft.com/en-us/windows/uwp/cpp-and-winrt-apis/intro-to-using-cpp-with-winrt, Accessed: November 18, 2022.
Search in Google Scholar Back to article
MITRE., Common Weakness Enumeration (CWE), https://cwe.mitre.org/, Accessed: January 1, 2024.
Search in Google Scholar Back to article
Microsoft., Microsoft Digital Defense Report 2024, https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/microsoft-digital-defense-report-2024, Accessed: January 1, 2024.
Search in Google Scholar Back to article
CVE., .NET Framework Remote Code Execution Vulnerability (CVE-2022-41089), https://www.cvedetails.com/cve/CVE-2022-41089/, Accessed: January 1, 2022.
Search in Google Scholar Back to article
Microsoft Documentation., Overview of .NET Framework, https://learn.microsoft.com/en-us/dotnet/framework/get-started/overview, Accessed: March 29, 2023.
Search in Google Scholar Back to article
Di W., Lin C., Yuming Z., Baowen X., An extensive empirical study on C++ concurrency constructs, Information and Software Technology, 76, 1-18, 2016.
Search in Google Scholar Back to article
Pereira J.D., Vieira M., On the use of open-source C/C++ static analysis tools in large projects, European Dependable Computing Conference (EDCC), 07-10 September 2020, Germany.
Search in Google Scholar Back to article
Verdi M., Sami A., Akhondali J., Khomh F., Uddin G., Motlagh A.K., An empirical study of C/C++ vulnerabilities in crowd-sourced code examples, IEEE Transactions on Software Engineering, 48(5), 1497-1514, 2020.
Search in Google Scholar Back to article
Microsoft Documentation., Build desktop Windows Apps With The Windows App SDK, https://learn.microsoft.com/en-us/windows/apps/windows-app-sdk/, Accessed: January 1, 2024.
Search in Google Scholar Back to article
Chess B., Britton K., Eng C., Pugh B., Raghavan L., West J., Static analysis in motion, IEEE Security & Privacy, 10(3), 53-56, 2012.
Search in Google Scholar Back to article
Ye T., Zhang L., Wang L., Li X., An empirical study on detecting and fixing buffer overflow bugs, IEEE International Conference on Software Testing, Verification and Validation (ICST), 11-15 April 2016, USA.
Search in Google Scholar Back to article
Microsoft Documentation., Class Library Overview, https://learn.microsoft.com/en-us/cpp/mfc/class-library-overview?view=msvc-170, Accessed: August 3, 2021.
Search in Google Scholar Back to article
Microsoft Documentation., What is Windows Forms - Windows Forms .NET, https://learn.microsoft.com/en-us/dotnet/desktop/winforms/overview/?view=netdesktop-9.0, Accessed: November 14, 2024.
Search in Google Scholar Back to article
Microsoft Documentation., What is Windows Presentation Foundation (WPF) - WPF .NET, https://learn.microsoft.com/en-us/dotnet/desktop/wpf/overview/?view=netdesktop-9.0, Accessed: October 29, 2024.
Search in Google Scholar Back to article
Crudu V., What are The Emerging Trends in XAML Development, https://moldstud.com/articles/p-what-are-the-emerging-trends-in-xaml-development, Accessed: September 2, 2024.
Search in Google Scholar Back to article
Microsoft Documentation., What's a Universal Windows Platform (UWP) App? UWP applications https://learn.microsoft.com/en-us/windows/uwp/get-started/universal-application-platform-guide, Accessed: January 1, 2024.
Search in Google Scholar Back to article
Rahman M., Beginning Microsoft Kinect for Windows SDK 2.0: Motion and Depth Sensing for Natural User Interfaces, Apress, USA, 2017.
Search in Google Scholar Back to article
Lu B., Dong W., Yin L., Zhang L., Software Analysis, Testing, and Evolution, (Chapter: Evaluating and integrating diverse bug finders for effective program analysis), Lecture Notes in Computer Science, 8th International Conference on Software Analysis, Testing, and Evolution, 23-24 November 2018, China.
Search in Google Scholar Back to article
Miele P., Alquwaisem M., Kim D.K., Comparative assessment of static analysis tools for software vulnerability, Journal of Computers, 13(10), 1136-1144, 2018.
Search in Google Scholar Back to article
Malik A., Naveed M.S., Analysis of code vulnerabilities in repositories of GitHub and RosettaCode: A comparative study, International Journal of Information in Science and Technology, 4(2), 499-511, 2022.
Search in Google Scholar Back to article
Alqaradaghi M., Kozsik T., Comprehensive evaluation of static analysis tools for their performance in finding vulnerabilities in Java code, IEEE Access, 12, 55824-55842, 2024.
Search in Google Scholar Back to article
Zhang H., Wang S., Li H., Chen T.H., Hassan A.E., A study of C/C++ code weaknesses on stack overflow, IEEE Transactions on Software Engineering, 48(7), 2359-2375, 2021.
Search in Google Scholar Back to article
Ning Y., Zhang Y., Ma C., Guo Z., Yu L., Empirical study of software composition analysis tools for C/C++ binary programs, IEEE Access, 12, 50418-50430, 2023.
Search in Google Scholar Back to article
Arusoaie A., Ciobâca S., Craciun V., Gavrilut D., Lucanu D., A comparison of open-source static analysis tools for vulnerability detection in C/C++ code, 19th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), 21-24 September 2017, Romania.
Search in Google Scholar Back to article
Zampetti F., Scalabrino S., Oliveto R., Canfora G., Penta M.D., How open source projects use static code analysis tools in continuous integration pipelines, IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), 20-21 May 2017, Argentina.
Search in Google Scholar Back to article
Piran A., Chang C.P., Fard A.M., Vulnerability analysis of similar code, IEEE International Conference on Software Quality, Reliability and Security (QRS), 06-10 December 2021, China.
Search in Google Scholar Back to article
Yeboah J., Popoola S., Efficacy of static analysis tools for software defect detection on open-source projects, arXiv:2405.12333, 2024.
Search in Google Scholar Back to article
Klieber W., Flynn L., Evaluating Static Analysis Alerts with LLMs, https://www.sei.cmu.edu/blog/evaluating-static-analysis-alerts-with-llms/, Accessed: December 31, 2024.
Search in Google Scholar Back to article
Mohajer M.M., et al., SkipAnalyzer: A tool for static code analysis with large language models, arXiv:2310.18532, 2023.
Search in Google Scholar Back to article
Kharkar A., et al., Learning to reduce false positives in analytic bug detectors, arXiv:2203.09907, 2022.
Search in Google Scholar Back to article
Mashhadi E., et al., An empirical study on bug severity estimation using source code metrics and static analysis, arXiv:2206.12927, 2022.
Search in Google Scholar Back to article
Li F., Jiang J., Chen D., Xiong Y., LLM-based vulnerability detection at project scale: An empirical study, arXiv:2601.19239, 2026.
Search in Google Scholar Back to article
Du X., et al., Reducing false positives in static bug detection with LLMs: An empirical study in industry, arXiv:2601.18844, 2026.
Search in Google Scholar Back to article
Pushkar C., Kabra S., Kumar D., Challa J.S., Beyond single bugs: Benchmarking large language models for multivulnerability detection, arXiv:2512.22306, 2025.
Search in Google Scholar Back to article
Park S., Ko G., Cho H., On the effectiveness of instruction-tuning local LLMs for identifying software vulnerabilities, arXiv:2512.20062, 2025.
Search in Google Scholar Back to article
Saju M.H., Muhtadi M., Azim A., An empirical evaluation of LLM-based approaches for code vulnerability detection: RAG, SFT, and Dual-Agent systems, IEEE International Conference on Collaborative Advances in Software and Computing (CASCON), 10-13 November 2025, Canada.
Search in Google Scholar Back to article
Cao D., Liao Y., Shang X., Realvul: Can we detect vulnerabilities in web applications with LLM?, arXiv:2410.07573, 2024.
Search in Google Scholar Back to article
Sultana S., Afreen S., Eisty N.U., LLMs in code vulnerability analysis: A proof of concept, arXiv:2601.08691, 2026.
Search in Google Scholar Back to article
Haurogné J., Basheer N., Islam S., Vulnerability detection using BERT based LLM model with transparency obligation practice towards trustworthy AI, Machine Learning with Applications, 18, 100598, 2024.
Search in Google Scholar Back to article
Kaur A., Nayyar R., A comparative study of static code analysis tools for vulnerability detection in C/C++ and Java source code, Procedia Computer Science, 171, 2023-2029, 2020.
Search in Google Scholar Back to article
Fatima A., Bibi S., Hanif R., Comparative study on static code analysis tools for C/C++, 15th International Bhurban Conference on Applied Sciences and Technology (IBCAST), 09-13 January 2018, Pakistan.
Search in Google Scholar Back to article
Wheeler D.A., Flawfinder Official Website and Documentation, https://dwheeler.com/flawfinder/, Accessed: May 20, 2019.
Search in Google Scholar Back to article
Cppcheck., A Tool For Static C/C++ Code Analysis, https://cppcheck.sourceforge.io/, Accessed: December 31, 2024.
Search in Google Scholar Back to article
Google Code Archive., Long-term Storage For Google Code Project Hosting, https://code.google.com/archive/p/rough-auditing-tool-for-security/, Accessed: December 31, 2024.
Search in Google Scholar Back to article
Fluid Attacks., Application Security Testing Solutions, https://fluidattacks.com/, Accessed: December 31, 2024.
Search in Google Scholar Back to article
HCL Technologies., AppScan on Cloud, https://cloud.appscan.com/, Accessed: December 14, 2024.
Search in Google Scholar Back to article
Checkmarx., Application Security Platform, https://checkmarx.com/product/application-security-platform/, Accessed: December 14, 2024.
Search in Google Scholar Back to article
Veracode., Vulnerability Scanning Tools, https://www.veracode.com/security/vulnerability-scanning-tools, Accessed: December 31, 2024.
Search in Google Scholar Back to article
Microsoft., Release Windows App SDK 1.6.2 (1.6.241106002), https://github.com/microsoft/WindowsAppSDK/releases/tag/v1.6.2, Accessed: November 13, 2024.
Search in Google Scholar Back to article
Pakshad P., Windows App SDK Security Analysis, https://github.com/ppakshad/WindowsAppSDK-Security-Analysis.git, Accessed: December 31, 2024.
Search in Google Scholar Back to article

Articles in this issue

DOI: https://doi.org/10.2478/ijmce-2026-0019 | Journal eISSN: 2956-7068

Journal RSS Feed

Language: English

Submitted on: Mar 4, 2026

Accepted on: Apr 1, 2026

Published on: Jun 2, 2026

Published by: Harran University

In partnership with: Paradigm Publishing Services

Publication frequency: 2 issues per year

Keywords:

Software security,

static code analysis,

large language models,

vulnerability discovery,

Windows App SDK

Related subjects:

Computer sciences,

Computer sciences, other,

Engineering,

Introductions and overviews,

Physics,

© 2026 Puya Pakshad, Samson Quaye, Jamal Al-Karaki, Marwan Omar, Maurice E. Dawson, published by Harran University
This work is licensed under the Creative Commons Attribution 4.0 License.

AHEAD OF PRINT