• Pwn2Own Automotive 2026 was a three-day white-hat hacking contest held in Tokyo, Japan, as part of the Automotive World conference.
• Security researchers targeted connected vehicle technologies such as in-vehicle infotainment (IVI) systems, EV chargers, and automotive operating systems (e.g., Automotive Grade Linux).
• Over the course of the event, hackers successfully demonstrated 76 unique zero-day vulnerabilities and collectively earned $1,047,000 USD in cash prizes.

Prize Breakdown & Winners

• Total payout: $1,047,000 USD awarded across all participants.
• Top team:Fuzzware.io was crowned Master of Pwn, earning $215,500 for their performance.
  • Their exploits included successes across multiple devices such as EV chargers and infotainment units.
• Other high-earning teams included Team DDOS and Synacktiv, with significant cash prizes for their successful hacks.

Notable Exploits & Targets

• Hackers demonstrated serious vulnerabilities in:
  • EV charging stations (e.g., Alpitronic HYC50, Autel chargers, Phoenix Contact CHARX units).
  • In-vehicle infotainment systems including those from Alpine, Kenwood, and Tesla.
• Various vulnerability classes were exploited, including buffer overflows, command injections, hardcoded credentials, and race conditions.
• One notable demonstration involved compromising a Tesla infotainment system using a USB-based attack chain.

What Happens Next

• Reported zero-day vulnerabilities are first disclosed to affected vendors.
• Vendors typically have 90 days to issue security fixes before technical details are publicly released through the Zero Day Initiative (ZDI).

Why It Matters

• The sheer number of zero-day issues revealed — 76 in just three days — highlights ongoing cybersecurity risks in modern connected vehicles and charging infrastructure.
• These findings help manufacturers improve security before threats can be exploited in the real world.