The curtain has fallen on Pwn2Own Berlin 2026. Three days. 47 unique zero-day vulnerabilities. $1,298,250 in total payouts. And a competition that, for the first time in its 19-year history, ran out of room — turning away over 150 researchers who arrived with working exploit chains.
That last detail is not a footnote. It is the headline underneath the headline.
ZDI confirmed a 450% year-over-year surge in submissions, driven almost entirely by AI-assisted vulnerability research. The pipeline that was built to responsibly absorb and disclose zero-days simply could not keep up. Rejected researchers did not walk away quietly — several dropped full proof-of-concept chains publicly, directly to vendors, bypassing the coordinated disclosure model entirely. One Firefox zero-day went public mid-contest, invalidating competing entries that had already been accepted. The format held, but it was visibly straining under the weight of what the research community is now capable of producing.
Inside the contest itself, the results were historic.
The Champion: DEVCORE
DEVCORE claimed Master of Pwn with 50.5 points and $505,000 — a dominant performance that was effectively decided by Day 2. The team’s output was led by one of the most technically celebrated researchers in the field.
Orange Tsai opened Day 1 with a four-logic-bug chain that escaped the Microsoft Edge sandbox entirely, earning $175,000 and 17.5 Master of Pwn points in a single demonstration. His own words after the win: “a full chain with logic bugs only — no memory corruption, no AI, and no collisions.” That distinction matters. Logic-bug chains are harder to detect, harder to patch systematically, and harder to replicate defensively than memory corruption exploits. They require deep product knowledge and creative abuse of intended functionality. This was elite-level work.
Day 2, Orange Tsai returned and chained three bugs to achieve Remote Code Execution as SYSTEM on Microsoft Exchange — the event’s second $200,000 payout and 20 additional Master of Pwn points. The Exchange vulnerability is now tracked as CVE-2026-42897 and has already been confirmed exploited in the wild, with CISA adding it to the Known Exploited Vulnerabilities catalog. On Day 3, DEVCORE researcher splitline chained two bugs to compromise Microsoft SharePoint for another $100,000.
In three days, DEVCORE hit Edge, Exchange, SharePoint, and Windows 11 — Microsoft’s enterprise stack, end to end.
STARLabs SG finished second with 25 points and $242,500, anchored by Nguyen Hoang Thach’s memory corruption exploit against VMware ESXi with cross-tenant code execution, worth $200,000 on its own. Out Of Bounds took third with 12.75 points and $95,750.
Day 1 — May 14 | $523,000 | 24 Zero-Days
The opening day was the most productive single day in Pwn2Own history, with 24 unique zero-days across seven categories.
Microsoft Edge fell first and hardest. Orange Tsai’s four-logic-bug sandbox escape for $175,000 set the tone immediately.
Windows 11 was compromised three separate times by three independent teams using three distinct vulnerability classes — an improper access control flaw by Angelboy and TwinkleStar03 of DEVCORE (Internship Program), a heap-based buffer overflow by Marcin Wiązowski, and a chained use-after-free pair by Kentaro Kawane of GMO Cybersecurity by Ierae. Each earned $30,000. Three different bugs, one operating system, one day — a meaningful signal for defenders about the breadth of Windows 11’s attack surface.
Red Hat Enterprise Linux for Workstations fell to Valentina Palmiotti of IBM X-Force Offensive Research via a race condition exploit for $20,000. Palmiotti then doubled her day by hitting the NVIDIA Container Toolkit with a single-bug exploit for another $50,000. Two targets, $70,000, and a clear demonstration that container infrastructure running AI workloads is now firmly in scope for advanced attackers.
On the AI side, the new categories attracted intense scrutiny. LiteLLM — an open-source proxy used by over 50,000 enterprises to interface with LLMs including Azure OpenAI, Anthropic, and Cohere — was brought down by researcher k3vg3n via a three-bug chain combining SSRF and code injection for $40,000. LM Studio fell to STARLabs SG via a five-bug chain including SSRF and code injection for $40,000. OpenAI Codex was exploited twice: by Compass Security using a CWE-150 delimiter injection bug ($40,000) and by Doyensec’s maitai ($40,000). NVIDIA Megatron Bridge was hit by Satoki Tsuji of Ikotas Labs via an overly permissive allowed list flaw ($20,000) and by haehae of Out Of Bounds via a separate zero-day ($20,000). Chroma, the vector database, fell to haehae via an integer overflow chained with a race condition (CWE-190 + CWE-362) for $20,000.
Day 1 failures included Viettel Cyber Security’s attempt on OpenAI Codex, Park Jae Min’s attempt on Oracle Autonomous AI Database, and Interrupt Labs’ attempt on the NVIDIA Container Toolkit — all unsuccessful within the time limit.
Day 2 — May 15 | $385,750 | 15 Zero-Days
Day 2 was defined by one entry above all others.
Orange Tsai’s three-bug chain for SYSTEM-level RCE on Microsoft Exchange earned $200,000, representing the highest single payout of the entire competition. Exchange is a perennial target precisely because of its role as a central authentication and communication hub in enterprise environments. Full SYSTEM-level code execution via a chained exploit means complete control of the server and, in many network topologies, a direct path to lateral movement at scale. CVE-2026-42897 moved from Pwn2Own stage to active in-the-wild exploitation confirmation within 48 hours of the demonstration.
Cursor, the AI coding agent, fell twice. Le Duc Anh Vu of Viettel Cyber Security achieved a full win for $30,000 and 3 points. Compass Security followed with a second successful entry in round two for $15,000 and 3 points. Two separate exploits against the same AI coding tool in one day signals that the attack surface of AI-integrated development environments is not yet well-understood by the industry deploying them.
LM Studio fell again via a code injection bug, this time by OtterSec (Nikolaos Mourousias, Caue Obici, Bruno Halltari), earning $20,000. OpenAI Codex was exploited again by Sina Kheirkhah of Summoning Team for $20,000. Red Hat Enterprise Linux was hit by Ben Koo of Team DDOS via a use-after-free for $10,000. Windows 11 fell once more — Siyeon Wi used an integer overflow to escalate privileges for $7,500.
Collision entries on Day 2 included Out Of Bounds hitting Ollama ($28,000), Out Of Bounds hitting LiteLLM ($17,750), Summoning Team hitting Anthropic Claude Desktop ($10,000), and STARLabs SG hitting NVIDIA Megatron Bridge ($2,500).
Day 2 failures included Palo Alto Networks on Apple Safari Renderer Only, Rapid7’s Stephen Fewer on Microsoft SharePoint, and Viettel Cyber Security on Mozilla Firefox Renderer Only — all unable to complete their chains within the allotted time. Two teams withdrew their entries before attempting.
Day 3 — May 16 | $389,500 | 8 Zero-Days
The final day delivered its biggest payout to STARLabs SG.
Nguyen Hoang Thach exploited VMware ESXi using a memory corruption bug, activating the cross-tenant code execution add-on for a $200,000 award and 20 Master of Pwn points. VMware ESXi sits beneath workloads across cloud and enterprise infrastructure globally. Memory corruption leading to cross-tenant code execution in a hypervisor means an attacker who breaks into one tenant’s environment can reach another — the fundamental boundary guarantee of virtualized infrastructure, broken.
DEVCORE’s splitline chained two bugs to compromise Microsoft SharePoint for $100,000 and 10 Master of Pwn points. Satoki Tsuji of Ikotas Labs exploited OpenAI Codex for the second time across the event — this entry via an external control abuse mechanism — for $20,000.
Anthropic Claude Code was targeted twice on Day 3. Both Compass Security and Byung Young Yi of Out Of Bounds successfully demonstrated exploits on stage, but both hit collision with previously disclosed bugs, each earning $20,000 in partial credit.
Windows 11 was compromised again by Viettel Cyber Security’s team (Le Tran Hai Tung, dungnm, hieuvd) via an integer overflow for $7,500 — the fifth time Windows 11 was successfully exploited across the three-day event. Red Hat Enterprise Linux for Workstations fell to Hyunwoo Kim who chained a use-after-free with an uninitialized memory flaw for $5,000. Sina Kheirkhah of Summoning Team hit Red Hat Linux with a two-bug chain for $7,000, though one bug was known, making it a partial collision.
The only outright Day 3 failure was Giuseppe Calì of Summoning Team, who could not get their VMware ESXi exploit working within the time allotted.
Vulnerability Class Breakdown
Across 47 zero-days, the dominant bug classes were:
Logic flaws (chained) powered the two most expensive entries — Edge and Exchange — both by Orange Tsai. No memory corruption required. These are harder to identify through static analysis and harder to block with memory-safety mitigations.
Integer overflow was the most commonly demonstrated Windows 11 privilege escalation vector across all three days.
Use-after-free appeared in multiple entries targeting Windows 11 and Red Hat Linux.
SSRF and code injection chains were the defining pattern for AI platform compromises, appearing in LiteLLM, LM Studio, and Cursor entries.
Memory corruption enabled the highest-value Day 3 payout against VMware ESXi.
External control abuse and overly permissive access controls emerged in AI-specific targets — OpenAI Codex and NVIDIA Megatron Bridge — categories that have not been pressure-tested at this level before.
The AI Angle: No Longer a Sideshow
Every AI category at Pwn2Own Berlin 2026 was compromised. LiteLLM fell three times. OpenAI Codex fell three times across two days. LM Studio fell twice. Cursor fell twice. Claude Code was successfully exploited twice (both collisions). NVIDIA Megatron Bridge fell twice. Chroma fell once.
The attack surface profile of these tools is different from traditional enterprise software. They handle external inputs at scale, proxy requests to cloud backends, integrate with file systems and API keys, and often run with elevated permissions in development environments. SSRF vulnerabilities in LLM proxies like LiteLLM are particularly dangerous because of what those proxies can reach: internal model endpoints, API credentials, and cloud metadata services. Code injection in tools like Cursor and LM Studio translate directly into arbitrary execution in environments that developers trust implicitly.
None of this is theoretical anymore. Pwn2Own put working exploit chains on stage against fully patched, production versions of these tools. Every enterprise that has deployed any of these platforms in the last twelve months should treat the 90-day coordinated disclosure window as a hard patching deadline, not an advisory.
The Bigger Story: Supply Overflow
The structural story of Pwn2Own Berlin 2026 is not the exploits on stage. It is what happened before the stage.
Over 150 researchers were turned away because all time slots were filled — the first time in the contest’s history this has happened. ZDI confirmed a 450% increase in submissions year-over-year, driven by AI-assisted vulnerability research. The competitive pipeline that was designed to capture, validate, and responsibly disclose zero-days is no longer large enough to contain the volume of working exploits being produced.
Some of those rejected researchers went to vendors directly. One went public with a Firefox full-chain, prompting an emergency patch from Mozilla that invalidated accepted Pwn2Own entries. The coordinated disclosure model held in form, but the volume pressure is real and growing.
The implication is straightforward: the rate at which skilled researchers — increasingly augmented by AI tooling — are finding exploitable vulnerabilities is accelerating faster than the institutional infrastructure designed to triage them. That gap will define the next phase of the vulnerability intelligence landscape.
What Defenders Should Do Now
Patch Exchange immediately. CVE-2026-42897 is already confirmed exploited in the wild. If your organization runs Exchange on-premises, this is not a scheduled patch window item — it is a now item.
Treat AI platforms as production attack surface. LiteLLM, LM Studio, Cursor, OpenAI Codex, and similar tools should go through the same vulnerability management and patch discipline as any other enterprise software. They did not earn that treatment before Pwn2Own. They have earned it now.
VMware ESXi hypervisor isolation is your next priority. A memory corruption exploit enabling cross-tenant code execution is the scenario hypervisor security is meant to prevent. Validate your ESXi patch state and monitor ZDI’s 90-day disclosure timeline for technical details.
Windows 11 privilege escalation is a persistent pattern. Five independent successful exploits across three days using five different bug classes means Windows 11’s local privilege escalation surface is broad and active. Endpoint hardening, least-privilege enforcement, and attack surface reduction rules are not optional in this environment.
Watch the 90-day clock. All 47 vulnerabilities are under coordinated disclosure. When the technical details release, weaponization follows fast. Know which of your systems are affected and be ready.
Pwn2Own Berlin 2026 was not just a hacking competition. It was a stress test of the enterprise security posture that most organizations believe is adequate. The score: attackers 47, defenders zero.
The 90-day clock is running.
— TheCyberThrone | Thinking Security. Always.
