CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Pwn2Own Berlin 2026: 47 zero-days demonstrated across enterprise, AI, and virtualization platforms

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Security researchers earned $1,298,250 in rewards at Pwn2Own Berlin 2026 by demonstrating 47 unique zero-day vulnerabilities across enterprise technologies, artificial intelligence systems, and virtualization platforms. The three-day contest, held at OffensiveCon from May 14 to 16, 2026, focused on fully patched targets including web browsers, enterprise applications, privilege escalation vectors, servers, AI inference systems, cloud-native environments, virtualization software, and large language model (LLM) platforms. Winners received payouts incrementally: $523,000 on day one for 24 zero-days, $385,750 on day two for 15 zero-days, and $389,500 on day three for eight zero-days. The top reward, $200,000, was awarded to Cheng-Da Tsai of DEVCORE for a remote code execution chain leading to SYSTEM privileges on Microsoft Exchange. DEVCORE secured the overall Master of Pwn title with 50.5 points and $505,000 in total earnings.

Timeline

  1. 18.05.2026 08:33 1 articles · 22h ago

    Pwn2Own Berlin 2026 concludes with exploitation of 47 zero-days across enterprise, AI, and virtualization platforms

    The Pwn2Own Berlin 2026 competition concluded on May 16, 2026, after three days of exploits targeting 47 unique zero-day vulnerabilities. Researchers earned $1,298,250 in rewards while demonstrating exploits against fully patched targets including Microsoft SharePoint, Microsoft Exchange, Microsoft Edge, Windows 11, Red Hat Enterprise Linux for Workstations, NVIDIA Container Toolkit, VMware ESXi, and multiple AI coding agents. Notable achievements included a $200,000 reward for a SYSTEM-level RCE chain on Microsoft Exchange and multiple sandbox escapes targeting Microsoft Edge and AI environments.

    Show sources
    Open in new tab

Information Snippets

  • DEVCORE won Pwn2Own Berlin 2026 with 50.5 Master of Pwn points and $505,000 in total rewards.

    First reported: 18.05.2026 08:33
    1 source, 1 article
    Show sources

  • Cheng-Da Tsai (Orange Tsai) of DEVCORE received the highest single reward of $200,000 for chaining three vulnerabilities to achieve SYSTEM-level remote code execution on Microsoft Exchange.

    First reported: 18.05.2026 08:33
    1 source, 1 article
    Show sources

  • A total of 47 unique zero-day vulnerabilities were successfully exploited during the contest across enterprise software, AI systems, virtualization, web browsers, and cloud-native platforms.

    First reported: 18.05.2026 08:33
    1 source, 1 article
    Show sources

  • Vendors have been granted a 90-day disclosure window by Trend Micro’s Zero Day Initiative (ZDI) to release security patches before public disclosure of the vulnerabilities.

    First reported: 18.05.2026 08:33
    1 source, 1 article
    Show sources

  • Targets included Microsoft SharePoint, Microsoft Exchange, Microsoft Edge, Windows 11, Red Hat Linux, NVIDIA Container Toolkit, VMware ESXi, and multiple AI coding agents.

    First reported: 18.05.2026 08:33
    1 source, 1 article
    Show sources

  • Orange Tsai also earned $175,000 on day one for a Microsoft Edge sandbox escape achieved by chaining four logic bugs.

    First reported: 18.05.2026 08:33
    1 source, 1 article
    Show sources

  • Valentina Palmiotti (chompie) of IBM X-Force Offensive Research earned $70,000 for achieving root access on Red Hat Linux for Workstations and exploiting an NVIDIA Container Toolkit zero-day.

    First reported: 18.05.2026 08:33
    1 source, 1 article
    Show sources