3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
On the first day of Pwn2Own Berlin 2026, security researchers collected $523,000 in cash awards after exploiting 24 unique zero-days.
Today's highlight was Orange Tsai's attempt, who was awarded $175,000 in rewards after chaining 4 logic bugs to achieve a sandbox escape on Microsoft Edge.
Windows 11 was also hacked three times by Angelboy and TwinkleStar03 (working with the DEVCORE Internship Program), Marcin Wiązowski, and Kentaro Kawane of GMO Cybersecurity, each earning $30,000 in cash rewards for demonstrating new privilege escalation zero-days.
Valentina Palmiotti (chompie) of IBM X-Force Offensive Research (XOR) also collected $20,000 after rooting Red Hat Linux for Workstations and another $50,000 for a zero-day in the NVIDIA Container Toolkit.
Other successful attempts include k3vg3n chaining 3 bugs to take down LiteLLM ($40,000), Satoki Tsuji and haehae exploiting NVIDIA Megatron Bridge zero-days ($20,000), Compass Security and maitai of Doyensec hacking OpenAI's Codex coding agent (each earning $40,000), haehae dropping a Chroma zero-day ($20,000), and STARLabs SG a LM Studio zero-day ($40,000).
The DEVCORE Research Team is now leading the competition with $205,000, followed by Valentina Palmiotti with $70,000.
The Pwn2Own Berlin 2026 hacking contest, which focuses on enterprise technologies and artificial intelligence, takes place at the OffensiveCon conference from May 14 to May 16.
On the second day, the competitors will also attempt to exploit zero-days in Microsoft SharePoint, Microsoft Exchange, Windows 11, Apple Safari, Cursor, Red Hat Enterprise Linux for Workstations, LM Studio, OpenAI Codex, LiteLLM, Anthropic Claude Code, and Mozilla Firefox.
Security researchers targeting fully patched products in the web browser, virtualization, local privilege escalation, servers, enterprise applications, cloud-native/container, local inference, and LLM categories can earn over $1,000,000 in cash and prizes.
According to Pwn2Own's rules, all targeted devices run the latest operating system versions, and all entries must compromise the target and demonstrate arbitrary code execution.
After the zero-day flaws are disclosed during the Pwn2Own competition, vendors have 90 days to release security fixes for their software and hardware products.
Last year, TrendMicro's Zero Day Initiative awarded 1,078,750 for 29 zero-day vulnerabilities and some bug collisions.
Hope you enjoyed this news post. Feedback welcome.
Posted Friday 15 May 2026 at 7:31 am AEST (my time).
News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.