Windows 11 and Microsoft Edge hacked at Pwn2Own Berlin 2026
by Sergiu Gatlan · BleepingComputerOn the first day of Pwn2Own Berlin 2026, security researchers collected $523,000 in cash awards after exploiting 24 unique zero-days.
Today's highlight was Orange Tsai's attempt, who was awarded $175,000 in rewards after chaining 4 logic bugs to achieve a sandbox escape on Microsoft Edge.
Windows 11 was also hacked three times by Angelboy and TwinkleStar03 (working with the DEVCORE Internship Program), Marcin Wiązowski, and Kentaro Kawane of GMO Cybersecurity, each earning $30,000 in cash rewards for demonstrating new privilege escalation zero-days.
Valentina Palmiotti (chompie) of IBM X-Force Offensive Research (XOR) also collected $20,000 after rooting Red Hat Linux for Workstations and another $50,000 for a zero-day in the NVIDIA Container Toolkit.
Other successful attempts include k3vg3n chaining 3 bugs to take down LiteLLM ($40,000), Satoki Tsuji and haehae exploiting NVIDIA Megatron Bridge zero-days ($20,000), Compass Security and maitai of Doyensec hacking OpenAI's Codex coding agent (each earning $40,000), haehae dropping a Chroma zero-day ($20,000), and STARLabs SG a LM Studio zero-day ($40,000).
The DEVCORE Research Team is now leading the competition with $205,000, followed by Valentina Palmiotti with $70,000.
The Pwn2Own Berlin 2026 hacking contest, which focuses on enterprise technologies and artificial intelligence, takes place at the OffensiveCon conference from May 14 to May 16.
On the second day, the competitors will also attempt to exploit zero-days in Microsoft SharePoint, Microsoft Exchange, Windows 11, Apple Safari, Cursor, Red Hat Enterprise Linux for Workstations, LM Studio, OpenAI Codex, LiteLLM, Anthropic Claude Code, and Mozilla Firefox.
Security researchers targeting fully patched products in the web browser, virtualization, local privilege escalation, servers, enterprise applications, cloud-native/container, local inference, and LLM categories can earn over $1,000,000 in cash and prizes.
According to Pwn2Own's rules, all targeted devices run the latest operating system versions, and all entries must compromise the target and demonstrate arbitrary code execution.
After the zero-day flaws are disclosed during the Pwn2Own competition, vendors have 90 days to release security fixes for their software and hardware products.
Last year, TrendMicro's Zero Day Initiative awarded 1,078,750 for 29 zero-day vulnerabilities and some bug collisions.
99% of What Mythos Found Is Still Unpatched.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.