Tesla Hacked at Pwn2Own Automotive 2026

CyberDefender 4 mins0

Security researchers successfully hacked the Tesla Infotainment System on the first day of Pwn2Own Automotive 2026, demonstrating 37 previously unknown (“zero-day”) vulnerabilities. These hacks took place under controlled, ethical conditions as part of a competitive cybersecurity event rather than an unauthorized breach in the wild.

  • The team Synacktiv chained multiple flaws — including an information leak and an out-of-bounds write bug — to gain root access on the Tesla infotainment system.
  • Because these were zero-day vulnerabilities, they were unknown to Tesla prior to disclosure.
  • Across the first day of competition, $516,500 in cash prizes were awarded to teams for uncovering and exploiting a total of 37 zero-days in automotive tech systems.

In the responsible disclosure model used at Pwn2Own, vendors have 90 days from reporting to develop and release patches before details are publicly released.

Why This Matters

Pwn2Own Automotive is an established, industry-recognized contest that tests the security of connected vehicles and related technologies, such as infotainment systems and EV charging hardware. It brings together top security researchers to identify vulnerabilities before they can be exploited maliciously.

  • Modern cars — especially electric vehicles like Teslas — are increasingly software-defined, with complex systems handling navigation, connectivity, updates, and displays.
  • Discovering zero-days helps automakers and suppliers strengthen defenses and improve safety across the automotive ecosystem.

Security Teams & Other Results

Other competitors also made significant breakthroughs on Day 1:

  • Teams hacked EV chargers (e.g., Alpitronic HYC50, ChargePoint Home Flex) and other infotainment units (e.g., Sony XAV-9500ES), earning awards for achieving root-level execution.
  • Multiple vulnerabilities were chained together, showing how multi-step exploits can circumvent security layers if left unpatched.

What Happens Next

After disclosure:

  • A 90-day period begins for vendors like Tesla to patch the reported vulnerabilities.
  • Once patches are issued or the deadline passes, the Zero Day Initiative may publish technical details publicly — helping the broader cybersecurity community.
  • Researchers continue working on Day 2 and Day 3 of the contest, targeting additional automotive systems.

Takeaway

This event isn’t a “hack” in the criminal sense. It’s a responsible, consensual cybersecurity competition designed to find and fix vulnerabilities in vehicles and infrastructure before they surface in real-world attacks.

Nevertheless, the Tesla infotainment system’s exploitation highlights the growing importance of automotive cybersecurity as cars become ever more connected and software-driven.

CyberDefender