• On the second day of Pwn2Own Automotive 2026 in Tokyo, Japan, top security researchers exploited 29 unique zero-day vulnerabilities in automotive technologies — zero-day means flaws that were previously unknown to the vendors and could be used for real-world attacks if left unpatched.
• These flaws were found in a range of electric vehicle (EV) chargers, in-vehicle infotainment (IVI) systems, and automotive operating systems designed to be fully patched, highlighting persistent security gaps even in up-to-date equipment.
• The competency of these teams earned $439,250 in cash awards just on Day 2.

Overall Competition Progress

• After two days, researchers have collectively earned about $955,750 by demonstrating 66 distinct zero-day vulnerabilities so far.
• Teams like Fuzzware.io are leading the leaderboard with large cash winnings, thanks to successful exploits against EV chargers and other automotive systems.
• Other notable contributions include zero-day exploit chains against Automotive Grade Linux, charging stations from Alpitronic and Phoenix Contact, and IVI systems from Kenwood and Alpine.

Why This Matters

Pwn2Own Automotive is not just a competition — it’s a crucial security proving ground where vulnerabilities are responsibly reported to manufacturers before public disclosure. This allows vendors time (usually 90 days) to develop and release patches, reducing the risk of these flaws being exploited by malicious actors in the wild.

Modern vehicles increasingly depend on complex software — from charging infrastructure to networked infotainment — and discovering these zero-days early helps strengthen defenses before these systems reach consumers or attackers exploit the same flaws.