Published Thursday, July 02, 2026 at 01:23 AM PT

ALERT: Pwn2Own Automotive 2026 Concludes β€” Record 73 Vulnerability Entries Targeting Automotive Components; Vendors Must Patch

BLUF: The third annual Pwn2Own Automotive 2026 competition has concluded in Tokyo, Japan. A record 73 entries were submitted targeting automotive systems. Affected vendors have been notified per ZDI responsible disclosure policy and should expect coordinated patch timelines. Security teams supporting automotive OEMs, EV charging infrastructure, and in-vehicle infotainment systems should monitor ZDI advisories immediately.


DETAILS

  • Pwn2Own Automotive 2026 ran across three days at Automotive World, Tokyo; Day One alone featured 30 entries on stage β€” the highest single-day volume reported in the competition’s history.
  • A record 73 total entries were registered across the full competition, surpassing prior years and indicating a significant expansion in discovered attack surface across automotive components.
  • Competition results were published across Day One, Day Two, and Day Three by Zero Day Initiative; a “Master of Pwn” winner was named following Day Three β€” specific winner identity not confirmed in available source material.
  • All vulnerabilities demonstrated at Pwn2Own are subject to ZDI’s standard 90-day coordinated disclosure policy; affected vendors have been formally notified. Patches are not yet confirmed as available for demonstrated vulnerabilities.
  • Specific targeted components, CVE assignments, and CVSS scores have not been confirmed in the source material provided. Full technical advisories are pending ZDI publication.

IMPACT

  • Who is affected: Automotive OEMs, Tier-1 suppliers, EV charging network operators, and consumers of connected vehicle platforms targeted during the competition.
  • Scope: Broad β€” 73 entries across multiple automotive component categories suggests wide attack surface coverage. Exact component breakdown (IVI systems, EVSE, telematics, etc.) is not confirmed from available data.
  • Exploitation in the wild: No evidence of active exploitation reported at this time. Competition vulnerabilities are controlled-environment demonstrations; however, parallel discovery by threat actors cannot be ruled out.

  1. Monitor ZDI advisories at zerodayinitiative.com for published CVEs and technical details as they are released post-competition.
  2. Automotive security teams should inventory exposed components and prioritize patch readiness ahead of ZDI public disclosure windows.
  3. OEM and supplier PSIRTs should confirm receipt of ZDI vendor notifications and initiate internal triage immediately.
  4. Do not wait for public CVE publication β€” begin internal risk assessment based on known component exposure now.

SOURCES

  • Zero Day Initiative: Pwn2Own Automotive 2026 β€” The Full Schedule (ZDI Blog)
  • Zero Day Initiative: Pwn2Own Automotive 2026 β€” Day One, Day Two, Day Three Results (ZDI Blog)
  • Additional technical details and CVE assignments pending ZDI formal advisories

⚠ NOTE: Specific vulnerability classes, affected vendor names, and exploit techniques demonstrated have NOT been confirmed in available source material. This alert will require update as ZDI publishes full advisories.