The final day of Pwn2Own Automotive 2026 brought the world’s elite security researchers to the finish line with a spectacular display of hacking prowess.
Over three intense days of competition, researchers successfully identified and exploited 76 unique zero-day vulnerabilities across automotive systems, claiming a combined prize pool of $1,047,000 USD.
The competition crowned Tobias Scharnowski, Felix Buchmann, and Kristian Covic of Fuzzware.io as the Master of Pwn champions, earning an impressive 28 points and $215,500 USD for their sophisticated exploits targeting multiple vehicle infotainment and charging systems.
Key Vulnerability Discoveries
ZeroDay Initiative researchers demonstrated a diverse range of vulnerability types throughout the competition.
Buffer overflow vulnerabilities dominated the findings, with both stack-based and heap-based overflow exploits successfully achieving arbitrary code execution.
Notably, Viettel Cyber Security exploited a heap-based buffer overflow in the Sony XAV-9500ES to gain system control, while the DDOS team demonstrated a stack-based overflow in Alpine infotainment systems.
One of the most creative exploits came from Juurin Oy’s team, who compromised the Alpitronic HYC50 EV charger using a Time-Of-Check-Time-Of-Use (TOCTOU) race condition vulnerability.
The team earned $20,000 USD and 4 Master of Pwn points and famously installed a playable version of Doom on the compromised system to demonstrate full code execution capabilities.
The competition exposed vulnerabilities across critical automotive components, including infotainment systems from Alpine, Kenwood, and Sony; EV charging stations from Grizzl-E and Autel; and specialized automotive interfaces.
Permission assignment flaws and race conditions also emerged as significant attack vectors beyond traditional memory corruption bugs.
The 76 vulnerabilities uncovered represent critical findings that will drive security improvements across the automotive industry.
The diversity of affected manufacturers from infotainment pioneers to EV charging specialists highlights the widespread need for enhanced security practices in connected vehicle ecosystems.
The competition demonstrated that automotive systems remain attractive targets for sophisticated researchers, with substantial rewards incentivizing continuous security research and responsible vulnerability disclosure.
These findings will strengthen the automotive sector’s defensive posture through coordinated vulnerability management and patching initiatives.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.