Field-Programmable Gate Arrays (FPGAs) facil- itate a write-compile-debug cycle for digital circuits, re- sembling modern software development. Crucially, FPGA circuits comprise modules that can be re-used across projects. Many generic modules are available from commercial and open-source vendors as Intellectual Property (IP) cores. However, using third-party IP cores in FPGA designs poses critical supply chain security risks: FPGAs are increas- ingly being used in security- and safety-critical applications like automotive driver assistance or core networking. Thus, vulnerabilities in any component—homegrown or licensed— can have far-reaching consequences. While susceptibility of FPGA IP to security-critical implementation bugs has been shown in the literature, the prevalence and management of security vulnerabilities in FPGA IP has never been studied quantitatively. In this paper, we present the first measurement study covering 19 repre- sentative IP cores with 1250 total known issues over three commercial vendors and one open-source vendor. We classify 284 issues as security critical, predominantly affecting availability (134) and integrity (184). We analyze the survivability of these vulnerabilities and their mitigations. We find that mean-time-to-fix is between 5 and 12 months for commercial vendors, with outliers of up to 70 months, and no available mitigations for certain vulnerabilities. Specifically, 14 issues have fixes that support fewer FPGA devices than the vulnerable version, including 11 issues that vendors themselves label as critical but for which no workaround exists. We conclude with concrete recommendations for the industry, based on lessons learned from software vulnerability management.
IEEE European Symposium on Security and Privacy (EuroS&P)
2026-07-06
2026-04-22