Researchers have found that large language models (LLMs) may not truly understand the vulnerabilities they detect in systems software, instead relying on pattern-matching techniques. A new framework, CWE-Trace, has been developed to test the limits of LLMs in vulnerability detection, using 834 manually curated Linux kernel samples across 74 common weaknesses (CWEs). The framework employs a strict temporal split, separating historical data from leakage-free data, to evaluate the effectiveness of LLMs in detecting vulnerabilities. This approach allows for a more accurate assessment of LLMs' abilities, highlighting their potential limitations in reasoning about security1. The use of CWE-Trace has significant implications for the development of reliable vulnerability detection tools, as it suggests that LLMs may not be as effective as previously thought. So what this means for practitioners is that they should be cautious when relying on LLMs for vulnerability detection, as these models may not provide comprehensive security insights.