Open-source autonomous driving systems (ADS) face critical security risks due to persistent high-severity vulnerabilities. Method: This study systematically identifies and analyzes critical vulnerabilities—specifically integer overflows (CWE-190) and input validation defects (CWE-20)—across Autoware, AirSim, and Apollo codebases using CodeQL. It conducts the first large-scale, cross-version empirical analysis of vulnerability lifecycles in ADS, integrating CWE classification and multi-version comparative tracking. Contribution/Results: CWE-190 (59.6%) and CWE-20 (16.1%) dominate the identified vulnerabilities. Over 60% of high-severity flaws remain unpatched for more than six months, demonstrating pronounced vulnerability persistence and delayed remediation. These findings empirically reveal systemic weaknesses in ADS security maintenance practices, highlighting significant gaps in vulnerability management maturity. The study provides both empirical evidence and a methodological framework—grounded in precise static analysis and longitudinal code evolution tracking—to advance ADS security robustness and inform proactive assurance strategies.

The advent of Autonomous Driving Systems (ADS) has marked a significant shift towards intelligent transportation, with implications for public safety and traffic efficiency. While these systems integrate a variety of technologies and offer numerous benefits, their security is paramount, as vulnerabilities can have severe consequences for safety and trust. This study aims to systematically investigate potential security weaknesses in the codebases of prominent open-source ADS projects using CodeQL, a static code analysis tool. The goal is to identify common vulnerabilities, their distribution and persistence across versions to enhance the security of ADS. We selected three representative open-source ADS projects, Autoware, AirSim, and Apollo, based on their high GitHub star counts and Level 4 autonomous driving capabilities. Using CodeQL, we analyzed multiple versions of these projects to identify vulnerabilities, focusing on CWE categories such as CWE-190 (Integer Overflow or Wraparound) and CWE-20 (Improper Input Validation). We also tracked the lifecycle of these vulnerabilities across software versions. This approach allows us to systematically analyze vulnerabilities in projects, which has not been extensively explored in previous ADS research. Our analysis revealed that specific CWE categories, particularly CWE-190 (59.6%) and CWE-20 (16.1%), were prevalent across the selected ADS projects. These vulnerabilities often persisted for over six months, spanning multiple version iterations. The empirical assessment showed a direct link between the severity of these vulnerabilities and their tangible effects on ADS performance. These security issues among ADS still remain to be resolved. Our findings highlight the need for integrating static code analysis into ADS development to detect and mitigate common vulnerabilities.