CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft Edge sandbox escape and Windows 11 privilege escalation zero-days demonstrated at Pwn2Own Berlin 2026

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Security researchers demonstrated 24 unique zero-day exploits at Pwn2Own Berlin 2026 on May 14, 2026, earning $523,000 in total rewards. Orange Tsai successfully chained four logic bugs to achieve a sandbox escape in Microsoft Edge, receiving $175,000. Windows 11 privilege escalation zero-days were demonstrated by three separate teams—Angelboy and TwinkleStar03 (DEVCORE Internship Program), Marcin Wiązowski, and Kentaro Kawane (GMO Cybersecurity)—each earning $30,000. The exploits targeted fully patched systems under competition rules requiring arbitrary code execution.

Timeline

  1. 14.05.2026 21:53 1 articles · 1h ago

    Pwn2Own Berlin 2026: Day 1 zero-day demonstrations include Microsoft Edge sandbox escape and Windows 11 privilege escalation exploits

    Security researchers earned $523,000 in cash awards for 24 unique zero-day exploits demonstrated on fully patched systems. Orange Tsai chained four logic bugs to achieve a sandbox escape in Microsoft Edge, earning $175,000. Three independent teams separately demonstrated privilege escalation zero-days in Windows 11, each earning $30,000. Additional exploits targeted Red Hat Linux, NVIDIA Container Toolkit, LiteLLM, NVIDIA Megatron Bridge, OpenAI’s Codex coding agent, Chroma, and LM Studio, with awards ranging from $20,000 to $40,000 per entry.

    Show sources
    Open in new tab

Information Snippets

  • Orange Tsai chained four logic bugs to achieve a sandbox escape in Microsoft Edge, earning $175,000 in cash rewards.

    First reported: 14.05.2026 21:53
    1 source, 1 article
    Show sources

  • Windows 11 privilege escalation zero-days were demonstrated by three independent teams: Angelboy and TwinkleStar03 (DEVCORE Internship Program), Marcin Wiązowski, and Kentaro Kawane (GMO Cybersecurity), each earning $30,000.

    First reported: 14.05.2026 21:53
    1 source, 1 article
    Show sources

  • Valentina Palmiotti (IBM X-Force XOR) earned $20,000 for rooting Red Hat Linux for Workstations and an additional $50,000 for a zero-day in the NVIDIA Container Toolkit.

    First reported: 14.05.2026 21:53
    1 source, 1 article
    Show sources

  • Other notable exploits included k3vg3n chaining three bugs to compromise LiteLLM ($40,000), Satoki Tsuji and haehae exploiting NVIDIA Megatron Bridge zero-days ($20,000), and Compass Security and maitai (Doyensec) hacking OpenAI’s Codex coding agent ($40,000 each).

    First reported: 14.05.2026 21:53
    1 source, 1 article
    Show sources

  • haehae demonstrated a Chroma zero-day ($20,000) and STARLabs SG presented a zero-day in LM Studio ($40,000).

    First reported: 14.05.2026 21:53
    1 source, 1 article
    Show sources

  • The DEVCORE Research Team led the competition with $205,000 in earnings, followed by Valentina Palmiotti with $70,000.

    First reported: 14.05.2026 21:53
    1 source, 1 article
    Show sources

  • All targeted exploits required arbitrary code execution on fully patched systems under Pwn2Own rules. Vendors receive 90 days to address disclosed zero-days after the competition.

    First reported: 14.05.2026 21:53
    1 source, 1 article
    Show sources