24 Zero-Days Fall on Day One of Pwn2Own Berlin 2026

The first day of Pwn2Own Berlin 2026 delivered exactly what security professionals expected from the world's most prestigious hacking competition: carnage. Security researchers demonstrated 24 unique zero-day vulnerabilities across Windows 11, Microsoft Edge, Red Hat Linux, and a slate of AI platforms, walking away with $523,000 in prize money.

Microsoft Takes the Brunt

Orange Tsai stole the show with a devastating sandbox escape against Microsoft Edge. By chaining four logic bugs together, Tsai broke out of Edge's sandbox entirely, earning $175,000 and establishing himself as a frontrunner for the Master of Pwn title. The browser exploit follows a pattern of Microsoft zero-days surfacing through security research this month.

Windows 11 fared no better. Three separate research teams independently achieved local privilege escalation on the operating system, each collecting $30,000 for their efforts. Angelboy and TwinkleStar03 from DEVCORE's internship program, Marcin Wiazowski, and Kentaro Kawane of GMO Cybersecurity all found different paths to escalate privileges on a fully patched Windows 11 system. The vulnerabilities come just a day after Microsoft's May Patch Tuesday addressed 120 flaws, though clearly not enough to stop determined researchers.

Valentina Palmiotti of IBM X-Force Offensive Research demonstrated vulnerabilities against both Red Hat Enterprise Linux and NVIDIA's Megatron Bridge, earning $70,000 combined.

AI Systems Under Fire

This year's competition expanded its AI categories significantly, and researchers didn't disappoint. Teams successfully compromised LiteLLM, NVIDIA Megatron Bridge, OpenAI's Codex, the Chroma vector database, and LM Studio. The AI targeting reflects how coding agents have become attractive attack surfaces as organizations integrate them into development workflows.

The NVIDIA Container Toolkit also fell victim to researchers, highlighting the security challenges facing AI infrastructure beyond just the models themselves.

Competition Reaches Capacity

For the first time in the competition's 19-year history, Pwn2Own hit its registration limit and had to turn researchers away. The Zero Day Initiative closed registration on May 7, a full week before the competition started.

Some rejected researchers responded by publicly disclosing their findings. The group xchglabs, which had prepared 86 vulnerabilities targeting NVIDIA, Docker, Linux KVM, and PyTorch, began sending their research directly to vendors and posting details online. The capacity crisis raises uncomfortable questions about whether the vulnerability supply now exceeds what traditional coordinated disclosure can handle.

The flood of zero-days aligns with recent observations that AI-assisted vulnerability discovery has accelerated how quickly researchers find exploitable flaws. What once took months of reverse engineering can now be accomplished in days.

Days Two and Three Preview

The competition continues through May 16, with high-value targets still in play. Microsoft SharePoint and Exchange remain untouched, each offering $100,000 to $200,000 for successful exploits. VMware ESXi carries a $150,000 bounty for guest-to-host escape demonstrations.

The AI category continues with attempts against Anthropic's Claude Code, Cursor, and additional shots at OpenAI Codex. Apple Safari and Mozilla Firefox also await challengers in the browser category.

Vendors Have 90 Days

Under Pwn2Own's standard disclosure policy, vendors receive 90 days to patch vulnerabilities demonstrated at the competition before technical details go public. Microsoft, Red Hat, NVIDIA, and the affected AI vendors now face the clock to address the issues before exploitation details spread.

The day one results suggest the remaining targets will see aggressive attempts. With over $1 million in total prize money available and Master of Pwn points on the line, researchers have every incentive to deploy their best work. The Pwn2Own Automotive event earlier this year saw 76 zero-days disclosed over three days, setting a high bar for Berlin.

Security teams running Windows 11, Edge, or any of the compromised AI platforms should prepare for patches over the coming weeks. The vulnerabilities exist in the wild now, even if specific exploitation details remain under embargo.

Why This Matters

Pwn2Own serves as a reality check on enterprise security posture. These aren't theoretical vulnerabilities found through static analysis. They're working exploits demonstrated against fully patched, default-configured systems by some of the world's best offensive security researchers.

The expansion into AI targets reflects how the threat landscape has evolved. Organizations deploying AI coding assistants, vector databases, and local inference engines now need to treat these systems with the same security rigor as traditional infrastructure. For those tracking ongoing hacking news, this competition sets the tone for enterprise vulnerability priorities through the remainder of 2026.