In AUTOSAR-based automotive SoCs, real-time safety-critical software suffers from unclear vulnerability root causes and insufficient impact assessment. Method: We systematically analyze 180 publicly disclosed vulnerabilities to construct an SoC software architecture model aligned with the AUTOSAR layered reference architecture. We propose the first AUTOSAR-compliant vulnerability root cause taxonomy, identifying 16 root cause categories and 56 high-risk modules; further, we integrate CWE classification, layered abstraction modeling, and service-oriented analysis to empirically map vulnerabilities to architectural elements and quantify their cross-layer impacts and patching delays. Results: Our study reveals dominant vulnerability patterns, uncovers cross-layer distribution regularities and systematic patch delays, and provides actionable, architecture-level security enhancement guidelines—enabling vulnerability detection, prioritization, and precise localization. These findings support security-by-design optimization of automotive cyber-physical systems (CPS) platforms at the architectural level.

Cooperative, Connected and Automated Mobility (CCAM) are complex cyber-physical systems (CPS) that integrate computation, communication, and control in safety-critical environments. At their core, System-on-Chip (SoC) platforms consolidate processing units, communication interfaces, AI accelerators, and security modules into a single chip. AUTOSAR (AUTomotive Open System ARchitecture) standard was developed in the automotive domain to better manage this complexity, defining layered software structures and interfaces to facilitate reuse of HW/SW components. However, in practice, this integrated SoC software architecture still poses security challenges, particularly in real-time, safety-critical environments. Recent reports highlight a surge in SoC-related vulnerabilities, yet systematic analysis of their root causes and impact within AUTOSAR-aligned architectures is lacking. This study fills that gap by analyzing 180 publicly reported automotive SoC vulnerabilities, mapped to a representative SoC software architecture model that is aligned with AUTOSAR principles for layered abstraction and service orientation. We identify 16 root causes and 56 affected software modules, and examine mitigation delays across Common Weakness Enumeration (CWE) categories and architectural layers. We uncover dominant vulnerability patterns and critical modules with prolonged patch delays, and provide actionable insights for securing automotive CPS platforms, including guides for improved detection, prioritization, and localization strategies for SoC software architectures in SoC-based vehicle platforms.