exploitintel/cve-cwe-qwen3-32b

Overview

exploitintel/cve-cwe-qwen3-32b is a specialized language model designed to classify Common Vulnerabilities and Exposures (CVE) descriptions into Common Weakness Enumeration (CWE) IDs. This 32-billion parameter model is a QLoRA fine-tune of the Qwen3-32B base model, with the adapter merged into a 16-bit release for direct loading with transformers.

Key Capabilities & Performance

• CVE to CWE Mapping: Accurately translates free-text CVE descriptions into one or more CWE IDs.
• High Accuracy: Achieves an exact-match score of 0.707 and a Micro-F1 score of 0.729 on a held-out test set.
• Improved Inference: Shows significant gains in Macro-F1 (0.595) and performance on "hard" inference cases compared to its 8B variant, indicating better handling of rare or long-tail CWEs and complex descriptions.
• Low Hallucination: Rarely predicts non-existent CWEs, ensuring high reliability.
• Specialized Training: Trained on the exploitintel/cve-cwe-consensus dataset, which includes 69,386 rows where NVD and CNA agree on CWE assignments, mapped to CWE View-1003.

Usage & Limitations

• Prompt Format: Utilizes ChatML with a fixed system prompt for vulnerability analysis, expecting only CWE ID(s) as output.
• GGUF Availability: A Q4_K_M GGUF version is provided for local execution, requiring approximately 24 GB VRAM.
• Limitations: Predicts only CWEs present in its training dataset (50-example floor), outputs text-based CWE IDs requiring validation, is English-only, and processes descriptions exclusively (no code, CVSS, or references). It is intended as a triage aid, not an authoritative assignment tool.