Current learning-based Automated Vulnerability Repair (AVR) approaches, while promising, often fail to generalize effectively in real-world scenarios. Our diagnostic analysis reveals three fundamental weaknesses in state-of-the-art AVR approaches: (1) limited cross-repository generalization, with performance drops on unseen codebases; (2) inability to capture long-range dependencies, causing a performance degradation on complex, multi-hunk repairs; and (3) over-reliance on superficial lexical patterns, leading to significant performance drops on vulnerabilities with minor syntactic variations like variable renaming. To address these limitations, we propose SeCuRepair, a semantics-aligned, curriculum-driven, and reasoning-enhanced framework for vulnerability repair. At its core, SeCuRepair adopts a reason-then-edit paradigm, requiring the model to articulate why and how a vulnerability should be fixed before generating the patch. This explicit reasoning enforces a genuine understanding of repair logic rather than superficial memorization of lexical patterns. SeCuRepair also moves beyond traditional supervised fine-tuning and employs semantics-aware reinforcement learning, rewarding patches for their syntactic and semantic alignment with the oracle patch rather than mere token overlap. Complementing this, a difficulty-aware curriculum progressively trains the model, starting with simple fixes and advancing to complex, multi-hunk coordinated edits. We evaluate SeCuRepair on strict, repository-level splits of BigVul and newly crafted PrimeVul_AVR datasets. SeCuRepair significantly outperforms all baselines, surpassing the best-performing baselines by 34.52% on BigVul and 31.52% on PrimeVul\textsubscript{AVR} in terms of CodeBLEU, respectively. Comprehensive ablation studies further confirm that each component of our framework contributes to its final performance.

翻译：当前基于学习的自动化漏洞修复方法虽前景广阔，但在实际场景中往往难以有效泛化。我们的诊断分析揭示了现有先进AVR方法的三个根本缺陷：(1) 跨代码库泛化能力有限，在未见代码库上性能显著下降；(2) 无法捕获长距离依赖关系，导致复杂多代码块修复任务性能退化；(3) 过度依赖表层词汇模式，当漏洞存在变量重命名等轻微语法变异时性能急剧下降。为突破这些局限，我们提出SeCuRepair——一个语义对齐、课程驱动与推理增强的漏洞修复框架。其核心采用"先推理后编辑"范式，要求模型在生成补丁前明确阐述修复漏洞的原因与方法。这种显式推理机制强制模型真正理解修复逻辑，而非简单记忆词汇模式。SeCuRepair突破传统监督微调框架，采用语义感知强化学习技术，依据补丁与标准补丁在语法和语义层面的对齐程度（而非单纯词汇重叠）给予奖励。此外，框架引入难度感知课程学习策略，从简单修复任务开始渐进训练，逐步过渡到复杂的多代码块协同编辑。我们在BigVul的严格仓库级划分数据集及新构建的PrimeVul_AVR数据集上评估SeCuRepair。实验表明，SeCuRepair显著超越所有基线模型，在CodeBLEU指标上分别以34.52%（BigVul）和31.52%（PrimeVul\textsubscript{AVR}）的优势领先最佳基线。全面的消融研究进一步证实，框架各组件均对最终性能提升具有实质性贡献。