Pwn2Own Automotive 2026 Ends With 76 Zero-Days, $1M+ Awarded

The third annual Pwn2Own Automotive competition concluded today in Tokyo with researchers earning $1,047,000 for demonstrating 76 unique zero-day vulnerabilities across EV charging infrastructure, in-vehicle infotainment systems, and automotive operating systems. Fuzzware.io claimed the Master of Pwn title after a dominant performance across all three days.

The final day delivered creative exploits and unexpected moments, including one team installing a playable version of Doom on an EV charger after compromising it. Vendors now have 90 days to develop patches before details go public.

Master of Pwn: Fuzzware.io Takes the Crown

The Fuzzware.io team—Tobias Scharnowski, Felix Buchmann, and Kristian Covic—accumulated 28 Master of Pwn points and $215,500 over the three-day competition. Their consistent success against charging infrastructure, particularly the Phoenix Contact CHARX SEC-3150 and ChargePoint Home Flex systems, separated them from the field.

The leaderboard proved how competitive this year's contest became. With 73 entries—a record for the automotive-focused event—several teams remained within striking distance of the title heading into the final day.

Day Three Highlights

The competition wrapped with several notable demonstrations:

Juurin Oy's Doom Installation Aapo Oksman, Elias Ikkelä-Koski, and Mikael Kantola exploited the Alpitronic HYC50 Level 3 charger using a time-of-check-to-time-of-use (TOCTOU) vulnerability—then proved their code execution capabilities by installing Doom on the charger's display. The demonstration earned $20,000 and 4 Master of Pwn points.

Viettel Cyber Security's Sony Exploit Viettel's team demonstrated a heap-based buffer overflow achieving arbitrary code execution on the Sony XAV-9500ES digital media receiver, earning $10,000.

Qrious Secure's Kenwood Chain In what the contest classified as a collision, Qrious Secure demonstrated three bugs against the Kenwood system—one n-day and two unique vulnerabilities involving incorrect permission assignment and a race condition—earning $4,000.

PetoWorks' Buffer Overflow The team earned $10,000 and 4 Master of Pwn points through a buffer overflow exploit, continuing the theme of memory corruption vulnerabilities plaguing automotive systems.

Three-Day Totals

Across the competition, researchers hammered every category:

Day	Zero-Days	Prize Money
Day 1	37	$516,500
Day 2	29	$439,250
Day 3	10	$91,250
Total	76	$1,047,000

EV charging infrastructure proved especially vulnerable, with multiple Level 2 and Level 3 chargers falling to various exploit chains. The Synacktiv team's Tesla Infotainment System hack on Day One set the tone, demonstrating that even well-resourced automotive vendors have exploitable bugs.

Why This Matters

The 76 vulnerabilities discovered this week will translate directly into patches over the coming months. Trend Micro's Zero Day Initiative, which organizes Pwn2Own, gives vendors 90 days to address disclosed vulnerabilities before going public.

For the automotive industry, these findings reveal several patterns worth noting:

Charging infrastructure is a soft target. Multiple research teams successfully compromised EV chargers across manufacturers. As charging networks expand, these devices become attractive entry points for attackers seeking to disrupt infrastructure or pivot into connected vehicles.

Memory corruption remains the dominant vulnerability class. Heap overflows, buffer overflows, and use-after-free conditions accounted for most successful exploits. Despite decades of awareness, memory safety issues persist in embedded automotive systems.

Infotainment systems remain a bridge into vehicles. Every successful IVI exploit demonstrated the potential for attackers to move from entertainment features toward more sensitive vehicle functions. The industry's broader exposure through unpatched vulnerabilities extends well beyond these contest conditions.

The competition's expansion to 73 entries—up significantly from previous years—signals growing researcher interest in automotive security. That's good news for the industry, which benefits from having vulnerabilities found by researchers rather than malicious actors.

What Comes Next

VicOne and Trend ZDI, the contest co-hosts, will work with affected vendors through the coordinated disclosure process. Tesla, Sony, Alpine, Kenwood, Phoenix Contact, ChargePoint, Alpitronic, and others now have three months to develop and deploy patches.

For security teams managing automotive fleets or EV charging infrastructure, the message is clear: watch for patches from these vendors and prioritize deployment when they arrive. The vulnerabilities demonstrated this week are real, and the exploit techniques will eventually become public.

Pwn2Own Automotive returns next year, likely with an even larger target pool as connected vehicle technology continues expanding. The $1 million in prizes awarded this week represents a fraction of what these vulnerabilities could be worth on the black market—a reminder that bug bounties and contest models remain essential for keeping researchers on the defensive side.