At OffensiveCon’s Pwn2Own Berlin 2026, researchers harvested $908 k in prizes by unveiling 39 zero‑days across Windows 11, Microsoft Edge, Exchange, Linux, Nvidia and several AI models. The event hit a record‑high attendance, forcing over 150 teams to turn away, and vendors now have a 90‑day window to patch the disclosed flaws.
Pwn2Own Berlin 2026 Wrap‑Up: Windows 11, Edge, Exchange and AI Platforms Cracked
The final day of Pwn2Own Berlin 2026 closed out a record‑setting competition at the OffensiveCon conference. In just two days, participants collected $908,000 in prize money by demonstrating 39 distinct zero‑day vulnerabilities that span the Microsoft stack, Red Hat Enterprise Linux, Nvidia infrastructure and a surprising lineup of AI services.
What happened – day‑by‑day breakdown
Day 1 – Edge falls, Windows 11 hacked three times
- Payout: $523,000 for 24 zero‑days
- Highlight: Orange Tsai (DEVCORE) chained four logic bugs to break out of the Microsoft Edge sandbox, earning the single largest day‑one bounty of $175,000.
- Windows 11: Three independent researchers each disclosed a privilege‑escalation chain, netting $30,000 per exploit.
- Linux & Nvidia: Valentina Palmiotti (IBM X‑Force) earned $70,000 for two exploits targeting the NVIDIA Container Toolkit and Red Hat Enterprise Linux.
- AI category: Exploits were shown against LiteLLM, OpenAI Codex, NVIDIA Megatron Bridge, Chroma and LM Studio, proving that generative‑AI services are now prime attack surfaces.
Day 2 – Exchange compromised, more Windows 11 tricks
- Payout: $385,750 for 15 zero‑days
- Top bounty: Orange Tsai returned, this time linking three bugs to achieve remote code execution with SYSTEM privileges on a fully patched Microsoft Exchange Server. The exploit fetched $200,000, the highest single prize of the event.
- Windows 11: Another set of privilege‑escalation bugs was demonstrated, keeping the OS in the crosshairs.
- AI repeat: The Cursor AI coding assistant and OpenAI Codex were each hit again, confirming that AI‑assisted development tools inherit the same flaws as the models they embed.
Day 3 – Results pending
The competition announced that Day 3 results will be released later this week, with a fresh batch of vulnerabilities expected from the remaining schedule.
How it compares to previous Pwn2Own editions
| Metric | Berlin 2026 | Berlin 2025 | London 2024 |
|---|---|---|---|
| Total prize money | $908,000 | $620,000 | $550,000 |
| Zero‑days disclosed | 39 | 28 | 22 |
| Researchers turned away | >150 (first time capacity reached) | ~80 | ~30 |
| AI‑related exploits | 7 (all day 1) | 2 | 0 |
The jump in prize pool and zero‑day count reflects two trends: (1) vendors are allocating larger bounties for chainable logic bugs, and (2) the community is shifting focus toward AI‑driven attack surfaces. Compared with the 2025 edition, the 2026 event doubled the AI category and saw a 30 % increase in total payouts.
Technical takeaways for each platform
Microsoft Edge – logic‑bug chaining
Edge’s sandbox relies on a combination of C++ memory safety checks and process isolation via Windows Job Objects. Tsai’s chain exploited a type‑confusion in the V8 JavaScript engine, followed by a use‑after‑free in the rendering pipeline, and finally a privilege‑escalation via a mis‑configured COM interface. The lesson for developers is that multiple low‑severity bugs can combine into a full escape, so mitigation must address cross‑component state validation, not just individual bug fixes.
Windows 11 – privilege escalation
All three Windows 11 exploits leveraged kernel‑mode driver flaws that allowed arbitrary write primitives. Two of the bugs were classic stack buffer overflows in legacy printer drivers, while the third used a race condition in the Windows Subsystem for Linux (WSL) that permitted token manipulation. Patch priority should focus on driver signing enforcement and tighter WSL isolation.
Microsoft Exchange – remote code execution
Tsai’s Exchange exploit chained a deserialization bug in the Outlook Web Access (OWA) component with a file‑write vulnerability in the Exchange Transport service. By delivering a crafted OWA request, the attacker forced the server to write a malicious DLL to a privileged directory, which the transport service later loaded with SYSTEM rights. Exchange administrators should apply the emergency patches released by Microsoft and consider network segmentation for OWA endpoints.
Linux & Nvidia – container toolkit and driver stack
The NVIDIA Container Toolkit flaw was a path‑traversal that allowed a low‑privileged container to write to host‑level directories, effectively breaking container isolation. Red Hat’s vulnerability involved a integer overflow in the systemd journal subsystem, leading to kernel‑mode code execution. Both cases underline the need for strict namespace enforcement and thorough input validation in container runtimes.
AI platforms – prompt‑injection and model‑stealing
The AI exploits shared a common thread: insufficient sanitization of user‑provided prompts combined with over‑privileged backend APIs. For instance, the LiteLLM attack injected a malicious system command into a prompt that the service executed without proper sandboxing. OpenAI Codex was tricked into generating executable code that, when run, opened a reverse shell. Vendors must adopt defense‑in‑depth for model serving, including prompt filtering, restricted execution environments, and audit logging of generated code.
Who should care?
- Enterprise IT teams need to prioritize patching the disclosed Windows 11, Edge and Exchange bugs within the 90‑day disclosure window. Failure to do so leaves a high‑value attack surface open.
- DevOps engineers managing Linux containers should audit their toolkit configurations and enforce least‑privilege policies to mitigate the NVIDIA Container Toolkit issue.
- AI product owners must treat model APIs as critical infrastructure, applying strict input validation and runtime isolation to avoid prompt‑injection attacks.
- Security researchers can study the publicly released PoCs (available on the ZeroDay Initiative site) to understand how logic‑bug chaining works across modern browsers and AI services.
Looking ahead
Pwn2Own Berlin 2026 proved that the attack surface is expanding beyond traditional OS kernels into AI services and container ecosystems. With capacity reached for the first time, the competition is clearly attracting more talent, which means vendors will face an increasingly sophisticated set of disclosures each year. The 90‑day patch window remains a crucial period; historically, the majority of these bugs are patched within that timeframe, but the sheer volume this year may strain vendor response teams.
For a full list of disclosed vulnerabilities and links to the official proof‑of‑concepts, visit the ZeroDay Initiative’s Pwn2Own Berlin 2026 page.
Comments
Please log in or register to join the discussion