Pwn2Own Berlin 2026: Record 47 Zero-Days Strain Disclosure Pipeline
pwn2own berlin 2026zero-daycybersecurityhackingdevcorecheng-da tsaimicrosoft exchangemicrosoft edgevmware esxai securityvulnerabilityzdi

Pwn2Own Berlin 2026: Record 47 Zero-Days Strain Disclosure Pipeline

By Daniel MarshMay 18, 2026

Pwn2Own Berlin 2026: Record 47 Zero-Days Strain Disclosure Pipeline

Pwn2Own Berlin 2026 just wrapped, revealing a significant payout: $1,298,250 for 47 unique zero-days. This volume of discovered vulnerabilities underscores the continued value of these competitions. However, a significant concern emerged: the event hit capacity. Researchers were turned away. Some researchers, unable to participate, may disclose their findings publicly.

This situation is not merely about missed bounty opportunities. It highlights a critical point regarding the sheer volume of vulnerabilities, their accelerating discovery rate, and the capacity of our current disclosure mechanisms to manage them.

What Actually Happened in Berlin at Pwn2Own Berlin 2026

From May 14-16, white-hat hackers convened at Pwn2Own Berlin 2026, targeting systems from enterprise applications to AI coding agents. The Zero Day Initiative (ZDI) reported the final tally: $1,298,250 for 47 distinct zero-days. This marks a notable increase from last year's Pwn2Own Berlin event, which saw $1,078,750 for 29 flaws (as reported by SecurityWeek and BleepingComputer).

DEVCORE, led by Cheng-Da Tsai (Orange Tsai), secured the "Master of Pwn" title and $505,000. Their most impactful vulnerability chain was a $200,000 chain of three bugs achieving remote code execution with SYSTEM privileges on Microsoft Exchange. They also earned $175,000 for a Microsoft Edge sandbox escape using four logic bugs. StarLabs SG placed second with $242,500, including a $200,000 VMware ESX exploit enabling cross-tenant code execution.

Windows 11 was hacked three times on Day 1, with further local privilege escalations demonstrated on Day 2 and Day 3. Red Hat Enterprise Linux for Workstations also saw root-privilege escalation on Day 2 and Day 3. A new category emerged, raising specific concerns: AI coding agents. Targets included LiteLLM, OpenAI Codex, LM Studio, and Cursor, with payouts ranging from $15,000 to $40,000 per exploit.

Pwn2Own Berlin 2026 zero-days in a server room

The Attack Chains That Matter

Analysis of the technical details behind these successful attacks reveals several specific risks:

  • Microsoft Exchange RCE (DEVCORE): Remote code execution with SYSTEM privileges on Exchange typically implies a full domain compromise. Exchange servers are often high-value targets for initial access and persistence, aligning with MITRE ATT&CK techniques such as T1133 and T1078. A chain of three bugs suggests an attacker bypassed authentication or gained initial access, then escalated privileges, and finally executed code. This is not a simple vulnerability; rather, it represents a methodical path to deep system compromise, a pattern observed with previous significant Exchange vulnerabilities.
  • Microsoft Edge Sandbox Escape (DEVCORE): Browser sandboxes are designed to contain malicious code, preventing it from affecting the underlying operating system. Four logic bugs to escape this mechanism indicate subtle flaws in how the browser handles operations or interacts with the OS kernel. This is a common vector for drive-by downloads to escalate into full system compromises (e.g., MITRE ATT&CK T1189 and T1068).
  • VMware ESX Cross-Tenant RCE (StarLabs SG): This is a hypervisor escape, allowing an attacker to break out of their own virtual machine and execute code on the host. For cloud providers or enterprises using multi-tenant virtualization, this presents a significant confidentiality and integrity risk, akin to gaining control of the underlying infrastructure from an isolated tenant environment.
  • AI Coding Agent Zero-Days: While specific technical details remain undisclosed, these likely involve prompt injection leading to arbitrary code execution on the backend, data exfiltration from the model's context or training data, or even model poisoning. An attacker manipulating an AI agent to generate malicious code or leak sensitive internal data it was trained on represents a new attack surface. The rapid discovery of multiple vulnerabilities in this category highlights the immature security practices common across many of these emerging tools.

The Unseen Wave: Capacity and Public Disclosure Challenges

The capacity issue is particularly pressing. International Cyber Digest reported some teams were unable to register due to full time slots, leading some to disclose findings directly to vendors or publicly. This practice of public disclosure outside controlled channels presents a significant challenge.

The core purpose of Pwn2Own Berlin 2026 and ZDI's 90-day disclosure policy is to provide vendors an opportunity to patch before vulnerability details become public. When researchers, lacking official channels, publish zero-day findings, it introduces immediate, unmitigated risk for all users of that software. This bottleneck in the vulnerability disclosure process suggests a potential increase in unpatched zero-days becoming publicly known before vendors can release fixes, introducing immediate, unmitigated risk for all users of that software.

The sheer volume of 47 zero-days discovered at Pwn2Own Berlin 2026, coupled with the overflow of submissions, indicates an accelerating pace of discovery. The potential for AI tools to facilitate faster bug discovery is a critical factor here. Should this acceleration materialize, the current disclosure and patching pipeline will face significant strain.

Covert exploit delivery via USB, related to Pwn2Own Berlin 2026 findings

What We Do Now

Vendors now have their standard 90-day window to patch these 47 vulnerabilities, with ZDI committed to publishing details after this period if patches are not released. This established process, however, only functions for the bugs that made it into Pwn2Own; the more pressing concern lies with those vulnerabilities that did not enter this controlled disclosure process.

The industry must address this capacity problem, as seen at Pwn2Own Berlin 2026. While Pwn2Own Berlin 2026 is a valuable event, its inability to accommodate the volume of legitimate research necessitates additional formalized channels. This could involve more frequent events, expanding existing ones, or creating new, trusted mechanisms for researchers to submit findings without resorting to public disclosure.

Furthermore, the vulnerability of numerous AI coding agents underscores that AI security must be integrated from the outset, not treated as an afterthought. Developers must apply the same rigorous security principles to AI models, their training data, and their execution environments as they do to operating systems and essential enterprise applications.

Finally, the potential for more zero-days circulating outside controlled disclosure channels reinforces the need for robust defense strategies beyond patching alone. Strong network segmentation, advanced endpoint detection and response (EDR), and continuous threat hunting are increasingly vital. The sheer volume of discovered vulnerabilities at Pwn2Own Berlin 2026, while positive for long-term security, suggests that the current disclosure infrastructure is reaching its limits, demanding a proactive and adaptive approach from defenders.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.