The SZZ method and its variants are extensively utilized in the identification of the vulnerability affected range, predominantly through the analysis of bug-fixing commits to trace back to bug-inducing commits. However, these methods generally suffer from low precision due to two main factors: 1) Current learning-based approaches rely solely on code to identify root cause deletion lines, which often leads to incorrect results. 2) The tracing capabilities of existing SZZ methods are insufficient when dealing with complex vulnerabilities, especially those in early software versions, due to their reliance on line mapping algorithm.

To address these issues, this paper innovatively incorporates natural language information from commit metadata, combined with large language models, to more accurately capture the true root cause line of vulnerabilities, thereby achieving precise localization of the vulnerability’s impact range. Experimental results indicate that our proposed LLM-SZZ method outperforms existing state-of-the-art approaches, achieving over a 16% increase in precision across datasets in various programming languages, demonstrating a significant performance advantage.