76 Zero-Day Vulnerabilities Found at Uncovered Hackers

At Pwn2Own Automotive 2026, security researchers demonstrated 76 unique zero-day vulnerabilities impacting electric vehicle chargers and in-vehicle infotainment systems.

The three-day event in Tokyo awarded $1,047,000 USD total, with Fuzzware.io claiming the Master of Pwn title.

Day One Activities

Day One featured 30 entries targeting systems like Alpine iLX-F511, Kenwood DNR1007XR, and various EV chargers, yielding $516,500 USD for 37 zero-days.

Neodyme AG earned $20,000 for a stack-based buffer overflow on Alpine iLX-F511, while Fuzzware.io chained CWE-306 and CWE-347 for $50,000 on an Autel charger with signal manipulation.

SKShieldus’s 299 team exploited hardcoded credentials (CWE-798) and CWE-494 on Grizzl-E Smart 40A for $40,000; Team DDOS hit ChargePoint Home Flex with command injection for another $40,000; PetoWorks chained DoS, race condition, and injection on Phoenix Contact CHARX SEC-3150 for $50,000.

Fuzzware.io dominated further with a $60,000 out-of-bounds write on Alpitronic HYC50 and Synacktiv’s $35,000 Tesla USB attack via leak and out-of-bounds write.

Day Two Activities

Intense action on Day Two added $439,250 USD and 29 zero-days, pushing totals to 66 flaws and $955,750. Hank Chen of InnoEdge Labs scored $40,000 on Alpitronic HYC50 Lab Mode via an exposed dangerous method; Rob Blakely chained out-of-bounds read, memory exhaustion, and heap overflow on Automotive Grade Linux for $40,000.

Fuzzware.io continued strong with $50,000 on Phoenix CHARX SEC-3150 (three bugs plus add-ons, 7 points); Synacktiv hit Autel MaxiCharger add-on with stack buffer overflow for $30,000; Fuzzware.io and Summoning Team each earned $30,000 on ChargePoint Home Flex add-ons via command injection and two bugs, respectively.

Day Three Activities

Final day successes and collisions finalized the event, with Fuzzware.io securing Master of Pwn at 28 points and $215,500 USD overall. PetoWorks exploited buffer overflow on Grizzl-E Smart 40A for $10,000; Viettel Cyber Security used heap-based buffer overflow on Sony XAV-9500ES for $10,000.

Juurin Oy demonstrated TOCTOU on Alpitronic HYC50, installing playable Doom, earning $20,000 and 4 points; multiple collisions on Alpine, Kenwood, and chargers yielded partial awards like $16,750 for Ryo Kato on Autel. Elias Ikkelä-Koski and Aapo Oksman hit Kenwood with link-following for $5,000.

Critical High-Bounty Vulnerabilities

High-bounty wins ($30,000+) highlighted severe flaws in chargers and infotainment, often chaining multiple issues for root access or signal manipulation.

These zero-days expose risks in networked EV chargers and IVI, potentially enabling remote code execution or vehicle manipulation. ZDI coordinates disclosure to vendors for patching, underscoring automotive cybersecurity urgency amid rising EV adoption. Fuzzware.io’s wins demonstrate fuzzing prowess against complex embedded systems.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.