-
2026 State of Automotive Software Development Report
- Chapter 1 - What Are the Top Market Challenges Impacting Automotive Software Development?
- Chapter 2 - The Leading Concerns in Automotive Software and Technology Development
- Chapter 3 - Areas of Automotive Software Development
- Chapter 4 - Adoption & Implementation of Shift-Left
- Chapter 5 - Recalls and Software Vulnerabilities
- Chapter 6 - Automotive Software Security
- Chapter 7 - How Are Software-Defined Vehicles (SDVs) Affecting Developers?
- Chapter 8 - Leading Trends in Automotive AI
- Chapter 9 - Why Standards Compliance Remains Vital for Automotive Development
- Chapter 10 - Key Coding Standards for Automotive Software Development
- Chapter 11 - How Development Teams Manage Their Work
- Chapter 12 - Which Software Tools Development Teams Are Using
- Chapter 13 - Open-Source Automotive Software
- Chapter 14 - Why Perforce Software Solutions Remain Essential for Automotive Software Development
- About the Survey — Appendix
Report > 2026 State of Automotive Software Development Report
Chapter 5 - Recalls and Software Vulnerabilities
Recalls
General
Slightly fewer respondents were impacted by a recall than last year, overall. However, automotive software recalls are a growing problem in the industry, on track to surpass previous recall numbers for the sixth year in a row, according to Forbes. The increasing complexity of automotive software, in addition to innovative self-driving technology, contributes to issues that might lead to a recall.
For example, the driverless rideshare company Waymo recalled their whole fleet in December 2025, Reuters reported, due to a failure of its robotaxis to stop for school buses. In the EU, Citroën, Opel, and Fiat made headlines by recalling 215,230 vehicles in January 2026 due to a software error that affected instrument cluster screens — which ultimately made the ADAS functions unavailable, reported Car-recalls.eu. And in China, the State Administration for Market Regulation (SAMR) identified safety issues related to driver-assistance systems as one of the leading causes of recalls, accounting for 23% of the total recalls, according to a China Daily article.
Over-the-air (OTA) updates make it easier to fix recalled software and reduce costs from $500 USD per vehicle before OTA to just $66.50 per vehicle to deliver a 1 GB update, estimated Harman Automotive, a supplier of OTA software, in a recent Wired article — but not all software recalls can be resolved with OTA updates, and costs for recalls are still climbing for a variety of automakers. In the Forbes article mentioned above, Stellantis had the highest cost per vehicle sold from 2024 to 2025 resulting from software recalls: $743.22.
The best way to prevent a costly recall is to keep code quality high as early as possible in development — ideally, as the code is still being written. Perforce Static Analysis tools scan code and flag potential security vulnerabilities and coding standards violations and have built-in AI-assisted code remediation that suggests immediate fixes requiring developer approval.
Software Vulnerability
General
It is important to note that recalls may or may not occur due to a software vulnerability. A recall can be caused by a software or hardware problem, whereas a software vulnerability will always be a security issue in software.
Similar to last year’s report, most automotive professionals were not impacted by a code vulnerability. However, those who were affected several times increased from 20% to 23% in 2026. Even a few vulnerabilities in automotive software can lead to costly recalls and the need for OTA updates.
There are many common software vulnerabilities such as injection, broken access control, and server-side request forgery that malicious actors can exploit to their advantage. Even one code vulnerability can cause significant issues, sometimes enough to compromise whole systems. The most efficient way to prevent software vulnerabilities is to use static analysis tools that keep code quality high, detect vulnerabilities early in the SDLC, and enforce security standards.
Organization Type
Of those respondents who were impacted by a software vulnerability, it occurred several times. Tier 2 suppliers were affected the most.
Region
By region, North America had the largest percentage of respondents who were impacted several times by a software vulnerability (29%). As shown below, while many respondents from North America are using CERT, CWE, and OWASP to detect vulnerabilities (131%), a higher percentage of those from Europe/UK (156%) and Asia (146%) made selections for vulnerability detection in their software. North American automotive development teams may need to follow these security guidelines and best practices more closely to prevent future recalls.
Preventing Software Vulnerabilities
Security resources help developers detect vulnerabilities in their code. Many respondents use CERT, CWE, and OWASP to identify bugs and assess risks during automotive software development. CERT had the highest percentage (64%) of use among respondents. This is probably due to CERT being an easy-to-use coding standard, which helps with the general prevention of vulnerabilities. CWE and OWASP help detect known vulnerabilities.