The Pwn2Own Berlin 2026 competition kicked off with a bang as security researchers showcased their skills by identifying 24 unique zero-day vulnerabilities across various platforms, including Windows and popular web browsers. On the first day alone, participants earned a staggering $523,000 by exposing critical weaknesses in corporate technologies and artificial intelligence systems.
The highlight of the day was a remarkable attack executed by researcher Orange Tsai, who successfully breached Microsoft Edge by chaining together four logical flaws, resulting in a sandbox escape. For this impressive feat, Tsai was awarded $175,000.
Windows 11 was also a significant target, with three different teams demonstrating new privilege escalation vulnerabilities. The DEVCORE Research Team, GMO Cybersecurity, and expert Marcin Wiązowski each received $30,000 for their findings.
Valentina Palmiotti, known by her handle chompie and representing IBM X-Force Offensive Research (XOR), also made headlines. She earned $20,000 for exploiting Red Hat Linux for Workstations and an additional $50,000 for discovering a zero-day vulnerability in the NVIDIA Container Toolkit.
Other notable attacks included: - Researcher k3vg3n, who secured $40,000 for a chain of three bugs in LiteLLM. - Satoki Tsuji and haehae, who earned $20,000 for exploiting a zero-day vulnerability in NVIDIA Megatron Bridge. - Compass Security and maitai from Doyensec, who compromised the OpenAI Codex AI agent and received $40,000 each. - Haehae also demonstrated a zero-day in Chroma, earning another $20,000. - The STARLabs SG team managed to extract $40,000 for an attack on LM Studio.
At the end of the first day, the DEVCORE Research Team led the scoreboard with $205,000 and 20.5 Master of Pwn points, followed closely by Valentina Palmiotti with $70,000 and 7 Master of Pwn points.
As the competition enters its second day, participants will target high-profile products, including Microsoft SharePoint, Microsoft Exchange, and various web browsers. According to the competition rules, all targets must operate on fully updated software versions, and participants are required to demonstrate full arbitrary code execution. Following the event, vendors will have 90 days to issue patches for the vulnerabilities discovered, after which details will be publicly disclosed by the Trend Micro Zero Day Initiative.
Last year, the Pwn2Own competition awarded researchers a total of $1,078,750 for revealing 28 unique zero-day vulnerabilities. This year's competition is likely to have significant implications for software security and may prompt rapid responses from competitors in the industry.
Informational material. 18+.
