Security researchers at Pwn2Own Automotive 2026 demonstrated 76 unique zero-day vulnerabilities across electric vehicle chargers and in-vehicle infotainment systems.
The three-day event in Tokyo awarded $1,047,000 USD total, with Fuzzware.io claiming the Master of Pwn title.
Day One Activities
Day One featured 30 entries targeting systems like Alpine iLX-F511, Kenwood DNR1007XR, and various EV chargers, yielding $516,500 USD for 37 zero-days.
Neodyme AG earned $20,000 for a stack-based buffer overflow on Alpine iLX-F511, while Fuzzware.io chained CWE-306 and CWE-347 for $50,000 on an Autel charger with signal manipulation.
SKShieldus’s 299 team exploited hardcoded credentials (CWE-798) and CWE-494 on Grizzl-E Smart 40A for $40,000; Team DDOS hit ChargePoint Home Flex with command injection for another $40,000; PetoWorks chained DoS, race condition, and injection on Phoenix Contact CHARX SEC-3150 for $50,000.
Fuzzware.io dominated further with a $60,000 out-of-bounds write on Alpitronic HYC50 and Synacktiv’s $35,000 Tesla USB attack via leak and out-of-bounds write.
Day Two Activities
Intense action on Day Two added $439,250 USD and 29 zero-days, pushing totals to 66 flaws and $955,750. Hank Chen of InnoEdge Labs scored $40,000 on Alpitronic HYC50 Lab Mode via an exposed dangerous method; Rob Blakely chained out-of-bounds read, memory exhaustion, and heap overflow on Automotive Grade Linux for $40,000.
Fuzzware.io continued strong with $50,000 on Phoenix CHARX SEC-3150 (three bugs plus add-ons, 7 points); Synacktiv hit Autel MaxiCharger add-on with stack buffer overflow for $30,000; Fuzzware.io and Summoning Team each earned $30,000 on ChargePoint Home Flex add-ons via command injection and two bugs, respectively.
Day Three Activities
Final day successes and collisions finalized the event, with Fuzzware.io securing Master of Pwn at 28 points and $215,500 USD overall. PetoWorks exploited buffer overflow on Grizzl-E Smart 40A for $10,000; Viettel Cyber Security used heap-based buffer overflow on Sony XAV-9500ES for $10,000.
Juurin Oy demonstrated TOCTOU on Alpitronic HYC50, installing playable Doom, earning $20,000 and 4 points; multiple collisions on Alpine, Kenwood, and chargers yielded partial awards like $16,750 for Ryo Kato on Autel. Elias Ikkelä-Koski and Aapo Oksman hit Kenwood with link-following for $5,000.
Critical High-Bounty Vulnerabilities
High-bounty wins ($30,000+) highlighted severe flaws in chargers and infotainment, often chaining multiple issues for root access or signal manipulation.
| Day | Team | Target | Bounty (USD) | Key Vulnerabilities | Points |
|---|---|---|---|---|---|
| 1 | Fuzzware.io | Alpitronic HYC50 Field | 60,000 | Out-of-bounds write | 6 |
| 1 | PetoWorks | Phoenix CHARX SEC-3150 | 50,000 | DoS, race condition, command injection | 5 |
| 1 | Fuzzware.io | Autel Charger | 50,000 | CWE-306, CWE-347 (code exec + signal manip) | 5 |
| 1 | Synacktiv | Tesla Infotainment USB | 35,000 | Info leak, out-of-bounds write | 3.5 |
| 2 | Fuzzware.io | Phoenix CHARX SEC-3150 | 50,000 | Three bugs + two add-ons | 7 |
| 2 | InnoEdge Labs | Alpitronic HYC50 Lab | 40,000 | Exposed dangerous method | 4 |
| 2 | Technical Debt Collectors | Automotive Grade Linux | 40,000 | OOB read, mem exhaustion, heap overflow | 4 |
| 2 | Synacktiv | Autel MaxiCharger Add-on | 30,000 | Stack buffer overflow | 5 |
| 2 | Fuzzware.io | ChargePoint Home Flex Add-on | 30,000 | Command injection | 5 |
| 2 | Summoning Team | ChargePoint Home Flex Add-on | 30,000 | Two bugs | 5 |
These zero-days expose risks in networked EV chargers and IVI, potentially enabling remote code execution or vehicle manipulation. ZDI coordinates disclosure to vendors for patching, underscoring automotive cybersecurity urgency amid rising EV adoption. Fuzzware.io’s wins demonstrate fuzzing prowess against complex embedded systems.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
