Windows 11 and Edge Hacked at Pwn2Own Berlin 2026
▼ Summary
– On the first day of Pwn2Own Berlin 2026, researchers earned $523,000 for exploiting 24 unique zero-days.
– Cheng-Da Tsai (Orange Tsai) of DEVCORE won $175,000 by chaining four logic bugs for a sandbox escape on Microsoft Edge.
– Windows 11 was hacked three times via privilege escalation zero-days, earning $30,000 each for Angelboy and TwinkleStar03, Marcin Wiązowski, and Kentaro Kawane.
– Valentina Palmiotti earned $70,000 for rooting Red Hat Linux and exploiting a zero-day in the NVIDIA Container Toolkit.
– The contest runs May 14–16 at OffensiveCon, with over $1,000,000 in prizes available for exploiting zero-days in fully patched products.
Day one of Pwn2Own Berlin 2026 saw security researchers walk away with $523,000 in cash prizes after successfully demonstrating 24 unique zero-day exploits.
The standout performance came from Cheng-Da Tsai, known as Orange Tsai of the DEVCORE Research Team. He earned $175,000 by chaining four logic bugs together to achieve a sandbox escape on Microsoft Edge.
Windows 11 was compromised three separate times. Angelboy and TwinkleStar03, both working through the DEVCORE Internship Program, along with independent researchers Marcin Wiązowski and Kentaro Kawane of GMO Cybersecurity, each collected $30,000 for revealing new privilege escalation zero-days.
Valentina Palmiotti, also known as chompie from IBM X-Force Offensive Research, secured $20,000 after rooting Red Hat Linux for Workstations and an additional $50,000 for a zero-day in the NVIDIA Container Toolkit.
Other successful exploits included k3vg3n, who chained three bugs to take down LiteLLM for $40,000. Satoki Tsuji and haehae exploited NVIDIA Megatron Bridge zero-days for $20,000. Compass Security and maitai of Doyensec each earned $40,000 for hacking OpenAI’s Codex coding agent. Haehae also dropped a Chroma zero-day for $20,000, while STARLabs SG demonstrated a LM Studio zero-day worth $40,000.
The DEVCORE Research Team currently leads the competition with $205,000, followed by Valentina Palmiotti with $70,000.
Pwn2Own Berlin 2026 is a three-day hacking contest focused on enterprise technologies and artificial intelligence, taking place at the OffensiveCon conference from May 14 to May 16. Day two will see competitors targeting zero-days in Microsoft SharePoint, Microsoft Exchange, Windows 11, Apple Safari, Cursor, Red Hat Enterprise Linux for Workstations, LM Studio, OpenAI Codex, LiteLLM, Anthropic Claude Code, and Mozilla Firefox.
Security researchers who target fully patched products across categories such as web browsers, virtualization, local privilege escalation, servers, enterprise applications, cloud-native and container environments, local inference, and large language models can collectively earn more than $1,000,000 in cash and prizes.
According to contest rules, all targeted devices run the latest operating system versions, and every entry must successfully compromise the target while demonstrating arbitrary code execution. After a zero-day is disclosed during the competition, vendors have 90 days to release security fixes.
For comparison, last year’s event saw Trend Micro’s Zero Day Initiative award $1,078,750 for 29 zero-day vulnerabilities and several bug collisions.
(Source: BleepingComputer)