Abstract

Identifying which software versions are affected by a vulnerability is critical for patching, risk mitigation, and downstream security tasks. Although numerous tools have been proposed, existing evaluations are limited in scope—focusing primarily on early SZZ variants, neglecting state-of-the-art techniques, and relying on small-scale datasets— leaving open questions about tool accuracy, robustness, and design limitations. In this paper, We present the first comprehensive empirical study of vulnerability-affected versions identification. We construct a high-quality benchmark of 1,128 real-world C/C++ vulnerabilities and systematically evaluate 12 representative tools across across accuracy, robustness, and error root causes. Our findings reveal low overall accuracy (best < 45%), driven by over-reliance on heuristics, limited semantic modeling, and poor handling of complex patches. While modular recomposition and ensemble strategies yield up to 10.1% improvement, accuracy remains below 60.0%. Our study offers actionable insights to guide tool development, combination strategies, and future research in this critical area.