Through the second day of Pwn2Own Berlin 2026, opponents collected $385,750 in money awards after exploiting 15 distinctive zero-day vulnerabilities in a number of merchandise, together with Home windows 11, Microsoft Trade, and Crimson Hat Enterprise Linux for Workstations.
The Pwn2Own Berlin 2026 hacking competitors takes place on the OffensiveCon convention from Could 14 to Could 16 and focuses on enterprise applied sciences and synthetic intelligence.
Safety researchers can earn over $1,000,000 in money and prizes by hacking totally patched merchandise within the net browser, enterprise functions, cloud-native/container environments, virtualization, native privilege escalation, servers, native inference, and LLM classes.
In line with Pwn2Own’s guidelines, all focused gadgets run the most recent working system variations, and all entries should compromise the goal and display arbitrary code execution. Distributors have 90 days to patch their software program and {hardware} after the zero-days are disclosed at Pwn2Own.
The spotlight of the second day was Cheng-Da Tsai (also called Orange Tsai) of DEVCORE Analysis Workforce incomes $200,000 after chaining three bugs to realize distant code execution with SYSTEM privileges on Microsoft Trade.
Siyeon Wi additionally collected $7,500 after exploiting an integer overflow bug to hack Home windows 11, and Ben Koo of Workforce DDOS escalated privileges to root on Crimson Hat Enterprise Linux for Workstations to earn a $10,000 money prize, whereas 0xDACA and Noam Trobishi used a use-after-free bug to use the NVIDIA Container Toolkit.
Within the AI class, Le Duc Anh Vu of Viettel Cyber Safety hacked the Cursor AI coding agent for $30,000, Sina Kheirkhah of Summoning Workforce demoed an OpenAI Codex zero-day ($20,000), and Compass Safety exploited Cursor ($15,000).
On the primary day, Orange Tsai earned one other $175,000 after chaining 4 logic bugs for a Microsoft Edge sandbox escape, whereas Valentina Palmiotti (chompie) of IBM X-Pressure Offensive Analysis collected $20,000 for rooting Crimson Hat Linux for Workstations and $50,000 for an NVIDIA Container Toolkit zero-day.
Home windows 11 was additionally hacked thrice on day one by Angelboy and TwinkleStar03 (working with the DEVCORE Internship Program), Kentaro Kawane of GMO Cybersecurity, and Marcin Wiązowski, every incomes $30,000 in money rewards for demonstrating new privilege-escalation zero-days.
On the third day of Pwn2Own, the hackers will goal Microsoft Home windows 11, VMware ESXi, Crimson Hat Enterprise Linux, Microsoft SharePoint, and a number of other AI coding brokers.
The complete schedule for the second day and the outcomes for every problem can be found right here, whereas the whole schedule for Pwn2Own Berlin 2026 is obtainable right here.
Throughout final yr’s Pwn2Own Berlin contest, TrendMicro’s Zero Day Initiative awarded 1,078,750 for 29 zero-day flaws and a few bug collisions.
Automated pentesting instruments ship actual worth, however they had been constructed to reply one query: can an attacker transfer by the community? They weren’t constructed to check whether or not your controls block threats, your detection guidelines fireplace, or your cloud configs maintain.
This information covers the 6 surfaces you really must validate.
