Full Report
Also, cybercriminals get breached, Gemini spills the calendar beans, and more infosec in brief T'was a dark few days for automotive software systems last week, as the third annual Pwn2Own Automotive competition uncovered 76 unique zero-day vulnerabilities in targets ranging from Tesla infotainment to EV chargers.…
Analysis Summary
As a vulnerability research specialist, I have analyzed the provided context focusing on the Pwn2Own Automotive 2026 findings, as specific CVEs and detailed remediation information for all 76 vulnerabilities were not publicly detailed in this summary article.
Here is the structured summary based on the information available:
# Vulnerability: Zero-Day Exploits at Pwn2Own Automotive 2026
## CVE Details
- **CVE ID:** N/A (Specific CVEs for the 76 zero-days are pending public disclosure/assignment.)
- **CVSS Score:** N/A (Scores for individual vulnerabilities are not provided in this summary.)
- **CWE:** Examples include CWE-121 (Out-of-bounds Write) and CWE-367 (Time-of-Check to Time-of-Use).
## Affected Systems
- **Products:**
- Alpitronic HYC50 EV Charger
- Tesla Infotainment Systems
- Automotive Grade Linux (AGL)
- **Versions:** Unknown/Vendor specific (Vulnerability scope defined by competition targets).
- **Configurations:** Standard deployments of the listed products.
## Vulnerability Description
The Pwn2Own Automotive 2026 competition revealed 76 unique zero-day vulnerabilities across various automotive and EV infrastructure components. Successful attacks targeted multiple product types:
1. **Alpitronic HYC50 EV Charger:** Exploited via an Out-of-Bounds Write (leading to a $60k payout), a Time-of-Check to Time-of-Use (TOC/TOU) vulnerability used to display the game *Doom*, and an exposed "dangerous" method call.
2. **Tesla Infotainment System:** Fully compromised by chaining an Information Leak vulnerability with an Out-of-Bounds Write.
3. **Automotive Grade Linux (AGL):** Compromised through a chain of three distinct vulnerabilities.
## Exploitation
- **Status:** Successfully exploited in a controlled, restricted environment (Pwn2Own competition). Not confirmed as "Exploited in the wild" in this context. PoC exists (the successful exploit demonstration).
- **Complexity:** Varied. The $60,000 payout exploit on the EV charger suggests a high complexity/impact for that specific vulnerability chain.
- **Attack Vector:** Likely a mix of network and potentially physical/local access depending on the specific target and exploit path (e.g., infotainment systems often allow adjacent network access or local interaction).
## Impact
- **Confidentiality:** High (Implied by information leak leading to Tesla compromise).
- **Integrity:** High (Implied by ability to execute arbitrary code/run Doom on chargers and full takeover of infotainment).
- **Availability:** Medium to High (Disruption or denial of service on EV charging infrastructure or vehicle functions).
## Remediation
### Patches
- **Status:** Vendors are expected to release patches to address the discovered vulnerabilities.
- **List available patches with versions:** None specified in the article. Vendors must coordinate disclosures with Trend Micro's Zero Day Initiative (ZDI) before releasing fixes.
### Workarounds
- No specific workarounds were detailed in the summary for these zero-days. Mitigation guidance generally relies on vendor security updates.
## Detection
- **Indicators of Compromise:** Depends entirely on the specific vulnerability exploited (e.g., unusual memory access patterns for OOB writes, unexpected command execution on chargers).
- **Detection methods and tools:** Intrusion Detection/Prevention Systems (IDS/IPS) monitoring network protocols relevant to AGL, Tesla systems, and EV charging communication stacks should be employed. Monitoring for abnormal process execution or file system changes on ECU/infotainment platforms is crucial.
## References
- Vendor advisories: Awaiting vendor disclosure following Pwn2Own analysis by ZDI.
- Relevant links:
- Pwn2Own Automotive 2026 Day One Results: defanged.zerodayinitiative.com/blog/2026/1/21/pwn2own-automotive-2026-day-one-results
- Pwn2Own Automotive 2026 Master of Pwn Results: defanged.zerodayinitiative.com/blog/2026/1/23/pwn2own-automotive-2026-day-three-results-and-the-master-of-pwn
- Pwn2Own Automotive 2026 Day Two Results: defanged.zerodayinitiative.com/blog/2026/1/22/pwn2own-automotive-2026-day-two-results
- CWE for TOC/TOU: defanged.cwe.mitre.org/data/definitions/367.html