Zero-Days on the Highway: Hackers Take Tesla and EV Tech Hostage at Pwn2Own 2026

As the neon lights of Tokyo flickered over the Automotive World conference, hackers inside a packed auditorium were busy dismantling the digital defenses of the modern car. Pwn2Own Automotive 2026 has once again turned the auto industry’s tech dreams into a cybersecurity wake-up call - this time, with Tesla and a parade of EV chargers falling victim to an unprecedented 37 zero-day exploits on just the first day.

Inside the Automotive Breach

The Pwn2Own contest has always been a pressure cooker for software vendors, but this year’s automotive edition set new records. The Synacktiv Team, renowned for their methodical approach, chained an information leak with an out-of-bounds write flaw to gain root privileges on Tesla’s Infotainment System - earning $35,000 and sending a clear message about the system’s exposure to physical USB-based attacks. Their appetite for risk didn’t stop at Tesla: they also toppled Sony’s flagship in-car receiver, bagging another $20,000.

But the competition was fierce. Team Fuzzware.io raked in $118,000 by hacking a trio of high-profile EV charging stations and navigation receivers, while PetoWorks and DDOS each demonstrated their prowess by breaking into critical charging controllers and smart vehicle chargers, collecting tens of thousands in bounties. The day’s tally: over half a million dollars, 37 new zero-days, and a leaderboard in constant flux.

These attacks weren’t theoretical. Each exploit was executed live against fully patched, production-grade systems, including Tesla’s latest software and widely deployed EV infrastructure. The vulnerabilities ranged from classic memory safety flaws to intricate chains that bypassed multiple security layers, highlighting persistent weaknesses in automotive cybersecurity.

Vendors now face a 90-day countdown to patch their systems before the details go public - a ticking clock that underscores just how fast adversaries can move. The stakes are high: modern vehicles are rolling computers, and each zero-day represents a potential gateway for attackers to disrupt, surveil, or even hijack critical automotive functions.

Lessons on the Road Ahead

Pwn2Own Automotive 2026 is more than a contest - it’s a mirror held up to the auto industry’s digital ambitions. As cars become smarter and more connected, the race between defenders and attackers only accelerates. For now, the hackers have the lead, but the real winners will be the millions of drivers whose safety depends on how quickly these lessons are learned - and acted upon.

WIKICROOK

• Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
• Root privileges: Root privileges are the highest access rights on a system, allowing complete control over all functions, settings, and data. Reserved for trusted users.
• Chained exploit: A chained exploit links multiple vulnerabilities in sequence, allowing attackers to bypass defenses and achieve more damaging attacks than single exploits.
• Infotainment System: An infotainment system is a vehicle’s digital dashboard that manages entertainment, navigation, connectivity, and sometimes vehicle controls in one interface.
• Memory safety flaw: A memory safety flaw is a programming error allowing attackers to access or modify memory they shouldn't, risking data leaks or system compromise.