Safety researchers at Pwn2Own Automotive 2026 demonstrated 76 distinctive zero-day vulnerabilities throughout electrical car chargers and in-vehicle infotainment techniques.
The three-day occasion in Tokyo awarded $1,047,000 USD complete, with Fuzzware.io claiming the Grasp of Pwn title.
Day One Actions
Day One featured 30 entries concentrating on techniques like Alpine iLX-F511, Kenwood DNR1007XR, and numerous EV chargers, yielding $516,500 USD for 37 zero-days.
Neodyme AG earned $20,000 for a stack-based buffer overflow on Alpine iLX-F511, whereas Fuzzware.io chained CWE-306 and CWE-347 for $50,000 on an Autel charger with sign manipulation.
SKShieldus’s 299 workforce exploited hardcoded credentials (CWE-798) and CWE-494 on Grizzl-E Good 40A for $40,000; Workforce DDOS hit ChargePoint House Flex with command injection for an additional $40,000; PetoWorks chained DoS, race situation, and injection on Phoenix Contact CHARX SEC-3150 for $50,000.
Fuzzware.io dominated additional with a $60,000 out-of-bounds write on Alpitronic HYC50 and Synacktiv’s $35,000 Tesla USB assault by way of leak and out-of-bounds write.
Day Two Actions
Intense motion on Day Two added $439,250 USD and 29 zero-days, pushing totals to 66 flaws and $955,750. Hank Chen of InnoEdge Labs scored $40,000 on Alpitronic HYC50 Lab Mode by way of an uncovered harmful technique; Rob Blakely chained out-of-bounds learn, reminiscence exhaustion, and heap overflow on Automotive Grade Linux for $40,000.
Fuzzware.io continued robust with $50,000 on Phoenix CHARX SEC-3150 (three bugs plus add-ons, 7 factors); Synacktiv hit Autel MaxiCharger add-on with stack buffer overflow for $30,000; Fuzzware.io and Summoning Workforce every earned $30,000 on ChargePoint House Flex add-ons by way of command injection and two bugs, respectively.
Day Three Actions
Last day successes and collisions finalized the occasion, with Fuzzware.io securing Grasp of Pwn at 28 factors and $215,500 USD total. PetoWorks exploited buffer overflow on Grizzl-E Good 40A for $10,000; Viettel Cyber Safety used heap-based buffer overflow on Sony XAV-9500ES for $10,000.
Juurin Oy demonstrated TOCTOU on Alpitronic HYC50, putting in playable Doom, incomes $20,000 and 4 factors; a number of collisions on Alpine, Kenwood, and chargers yielded partial awards like $16,750 for Ryo Kato on Autel. Elias Ikkelä-Koski and Aapo Oksman hit Kenwood with link-following for $5,000.
Important Excessive-Bounty Vulnerabilities
Excessive-bounty wins ($30,000+) highlighted extreme flaws in chargers and infotainment, usually chaining a number of points for root entry or sign manipulation.
DayTeamTargetBounty (USD)Key VulnerabilitiesPoints1Fuzzware.ioAlpitronic HYC50 Field60,000Out-of-bounds write61PetoWorksPhoenix CHARX SEC-315050,000DoS, race situation, command injection51Fuzzware.ioAutel Charger50,000CWE-306, CWE-347 (code exec + sign manip)51SynacktivTesla Infotainment USB35,000Info leak, out-of-bounds write3.52Fuzzware.ioPhoenix CHARX SEC-315050,000Three bugs + two add-ons72InnoEdge LabsAlpitronic HYC50 Lab40,000Exposed harmful method42Technical Debt CollectorsAutomotive Grade Linux40,000OOB learn, mem exhaustion, heap overflow42SynacktivAutel MaxiCharger Add-on30,000Stack buffer overflow52Fuzzware.ioChargePoint House Flex Add-on30,000Command injection52Summoning TeamChargePoint House Flex Add-on30,000Two bugs5
These zero-days expose dangers in networked EV chargers and IVI, probably enabling distant code execution or car manipulation. ZDI coordinates disclosure to distributors for patching, underscoring automotive cybersecurity urgency amid rising EV adoption. Fuzzware.io’s wins exhibit fuzzing prowess in opposition to complicated embedded techniques.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
