And don't miss our bug of the month! Each patch Tuesday we'll be selecting our very favorite patch to highlight. This month, it CVE-2026-26144 - a Critical-rated info disclosure in Excel that uses the Copilot Agent to exfiltrate data. Neat! youtube.com/shorts/r4EjP...
Better late than never, @dustinchilds.bsky.social is back with the Patch Report for the March Patch Tuesday release. Ignore the frog in his throat and see what you may otherwise miss in the latest updates from Adobe and Microsoft youtu.be/JO6HIzaXkJU
Happy Patch Tuesday! The latest security patches from #Adobe and #Microsoft are here. Thankfully, no bugs are listed as being under attack, but there's still some interesting ones in the mix. Join @dustinchilds.bsky.social as he breaks down the March release www.zerodayinitiative.com/blog/2026/3/...
[ZDI-26-124|CVE-2025-15060] claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability (CVSS 9.8; Credit: Peter Girnus of Trend Research) zerodayinitiative.com/advisories/Z...
Heading to the #[un]prompted conference next week? Be sure to catch @gothburz.bsky.social's talk on "FENRIR: AI Hunting for AI Zero-Days at Scale" His talk shows how we're FENRIR has detected over 100+ CVEs since mid-2025. Don't miss it. unpromptedcon.org
CVE-2026-20841: Arbitrary Code Execution in the Windows Notepad - The TrendAI Research team takes a deep dive into this recently patched file parsing bug to show you root cause, source code walk through, and provide detection guidance. Read the details at www.zerodayinitiative.com/blog/2026/2/...
No time to read the blog? Interested in the nuance in this month's release? Or just curious to see if @dustinchilds.bsky.social is still awake in Tokyo? Check out the Patch Report for February, 2026! youtu.be/ibKzs_q6OoM
Microsoft report six(!) exploits in the wild while Adobe has a small (and relatively quiet) month. Join @dustinchilds.bsky.social from Tokyo as he breaks down the release and shows you what to watch for. www.zerodayinitiative.com/blog/2026/2/...
CVE-2025-6978: Arbitrary Code Execution in the #Arista NG Firewall - our researchers took a deep dive into this recently patched RCE to provide root cause and detection guidance. Read all the details at www.zerodayinitiative.com/blog/2026/2/...
$1,047,000 - 76 unique 0-day vulnerabilities - three days of incredible research on display. #Pwn2Own Automotive had it all: bold exploits, clever techniques, and collisions. Congrats to Fuzzware.io (@ScepticCtf, @diff_fusion, @SeTcbPrivilege), Master of Pwn with $215,500 and 28 points! #P2OAuto
Collision! Ryo Kato (@Pwn4S0n1c) targeted the Autel MaxiCharger AC Elite Home 40A, demonstrating a three-bug chain but encountering one collision, still earning $16,750 USD and 3.5 Master of Pwn points. #Pwn2Own #P2OAuto
Verified! Nam Ha Bach and Vu Tien Hoa of the FPT NightWolf Team targeted the Alpine iLX-F511, exploiting one unique vulnerability to gain root access and earning $5,000 USD and 2 Master of Pwn points. #Pwn2Own #P2OAuto
Confirmed! Elias Ikkelä-Koski and Aapo Oksman of Juurin Oy targeted the Kenwood DNR1007XR, demonstrating a link-following vulnerability to earn $5,000 USD and 2 Master of Pwn points. #Pwn2Own #P2OAuto
Collision. Autocrypt (Hoyong Jin, Jaewoo Jeong, Chanhyeok Jung, Minsoo Son, and Kisang Choi) targeted the Alpine iLX-F511, demonstrating two vulnerabilities to gain root access. One collided with a previously known issue, earning $3,000 USD and 1.25 Master of Pwn points. #Pwn2Own #P2OAuto
Collision! Nguyen Thanh Dat (@rewhiles) of Viettel Cyber Security (@vcslab) targeted the Kenwood DNR1007XR, demonstrating one bug but encountering a collision, earning $2,500 USD and 1 Master of Pwn point. #Pwn2Own #P2OAuto
Boom! or shall I say Doom? Game On! Aapo Oksman, Elias Ikkelä-Koski and Mikael Kantola of Juurin Oy exploit the Alpitronic HYC50 with a TOCTOU bug - and installed a playable version of Doom to boot. They earn $20,000 and 4 Master of Pwn points. #Pwn2Own #P2OAuto
Collision! Qrious Secure (@qriousec) targeted the Kenwood system, demonstrating three bugs - one n-day and two unique vulnerabilities (incorrect permission assignment and a race condition), earning $4,000 USD and 1.75 Master of Pwn points. #Pwn2Own #P2OAuto
Confirmed! Viettel Cyber Security (@vcslab) targeted the Sony XAV‑9500ES, exploiting a heap‑based buffer overflow to achieve arbitrary code execution, earning $10,000 USD and 2 Master of Pwn points. #Pwn2Own #P2OAuto
Verified! Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS targeted the Alpine iLX‑F511, exploiting a stack‑based buffer overflow to earn $5,000 USD and 2 Master of Pwn points. #Pwn2Own #P2OAuto
Confirmed! PetoWorks (@petoworks) targeted the Grizzl-E Smart 40A, exploiting one buffer overflow bug, and earned $10,000 USD and 4 Master of Pwn points. #Pwn2Own #P2OAuto
Collision! Team MST targeted the Kenwood DNR1007XR, demonstrating one bug but running into a collision, earning $2,500 USD and 1 Master of Pwn point. #Pwn2Own #P2OAuto
Another collision! Slow Horses of Qrious Secure (@qriousec) targeted the Grizzl-E Smart 40A but encountered two bug collisions, still earning $5,000 USD and 2 Master of Pwn points. #Pwn2Own #P2OAuto
Collision! Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io targeted the Alpine iLX-F511, demonstrating one vulnerability previously used by another contestant, earning $2,500 USD and 1 Master of Pwn point. #Pwn2Own #P2OAuto
Day 3 of Pwn2Own Automotive 2026 is here - the final push. Bold attempts. High stakes. One last day. #Pwn2Own #P2OAuto
The a highlight from Day 2 of #Pwn2Own Automotive, the team from @synacktiv.com is at it again. This time, they leverage NFC(!) to exploit the #Autel MaxiCharger with a stack-based buffer overflow. Amazing! We've never seen an NFC exploit like this one before. youtube.com/shorts/eGAMc...
What a day! We saw some amazing research on display as the team from Fuzzware.io takes a huge lead in the Master of Pwn standings. So far, we have award a monstrous $955,750 over 2 days for 66 0-days. For the full results of Day 2 of #Pwn2Own Automotive, see www.zerodayinitiative.com/blog/2026/1/...
In a highlight from Day One of #Pwn2Own Automotive 2026, @synacktiv.com targets the #Tesla infotainment system. #P2OAuto
youtube.com/shorts/DKYT-...
Another Collision to close out Day 2! BoB::Takedown targeted the Phoenix Contact CHARX SEC-3150, demonstrating three bugs, but ran into two collisions, earning $6,750 USD and 2.75 MoP. #Pwn2Own #P2OAuto
Wrapping up Day Two of #Pwn2Own Automotive - we saw some amazing research demonstrated today, some of which had never been seen in public before! Join @dustinchilds.bsky.social as he summarizes the highlights and previews the final day. youtu.be/xKZtfblNrHc
Collision! ZIEN Inc. targeted the ChargePoint Home Flex (CPH50-K), demonstrating two unique bugs (symlink following and command injection) but encountered a collision with a previous attempt - still earning $16,750 USD and 3.5 Master of Pwn points. #Pwn2Own #P2OAuto
