Microsoft Edge, Windows 11 and AI Tools Fall at Pwn2Own Berlin 2026
6 min. read 
Published on
Pwn2Own Berlin 2026 ended with security researchers earning $1,298,250 after demonstrating 47 unique zero-day vulnerabilities across browsers, operating systems, servers, virtualization tools, Nvidia software, and AI platforms.
The three-day contest, held at OffensiveCon from May 14 to May 16, showed how quickly enterprise and AI attack surfaces are expanding. Researchers successfully exploited Microsoft Edge, Windows 11, LiteLLM, OpenAI Codex, Microsoft Exchange, SharePoint, VMware ESXi, Red Hat Enterprise Linux, and several developer-focused tools.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
DEVCORE won the Master of Pwn title after collecting 50.5 points and $505,000 in rewards. STARLabs SG finished second with 25 points and $242,500, while Out Of Bounds placed third with 12.75 points and $95,750.
Pwn2Own Berlin 2026 Final Results
| Category | Result |
|---|---|
| Total payout | $1,298,250 |
| Unique zero-days | 47 |
| Event dates | May 14 to May 16, 2026 |
| Top team | DEVCORE Research Team |
| Master of Pwn score | 50.5 points |
Day One set the tone with $523,000 awarded for 24 unique zero-days. The most notable result came from Orange Tsai of DEVCORE, who chained four logic bugs to achieve a Microsoft Edge sandbox escape.
That Edge exploit earned $175,000 and 17.5 Master of Pwn points, making it one of the most valuable demonstrations of the contest. Browser sandbox escapes remain high-impact because they can break through protections designed to isolate malicious web content from the rest of the system.
Windows 11 also came under repeated pressure. Researchers demonstrated multiple local privilege escalation attacks across the event, including flaws tied to improper access control, integer overflow, heap-based issues, and other memory safety weaknesses.
Microsoft Edge and Windows 11 Were Major Targets
Windows 11 appeared several times across the schedule, showing that even mature operating systems still carry risks when attackers find a path from a lower-privileged account to elevated system access.
Local privilege escalation flaws usually require some level of initial access, but they matter because real attackers often combine them with phishing, browser exploits, stolen credentials, or malware loaders. Once chained, they can help an attacker move from limited code execution to deeper control of a machine.
Microsoft products were not the only major enterprise targets. Orange Tsai later chained three bugs to achieve remote code execution as SYSTEM on Microsoft Exchange, earning $200,000. DEVCORE also exploited Microsoft SharePoint on the final day for $100,000.
AI Platforms Became a Bigger Part of the Contest
Pwn2Own Berlin 2026 also made one point very clear: AI infrastructure has become a real security target. This year’s contest included AI databases, coding agents, local inference tools, and Nvidia-related technologies.
LiteLLM was compromised on Day One after researcher k3vg3n chained three bugs, including server-side request forgery and code injection. The full win earned $40,000 and showed how AI gateway tools can become powerful targets when they sit between users, models, APIs, and internal systems.
OpenAI Codex, Anthropic Claude Code, Cursor, LM Studio, Ollama, Chroma, Nvidia Megatron Bridge, and Nvidia Container Toolkit also appeared in successful or attempted demonstrations during the event.
- LiteLLM was exploited through a chain that included SSRF and code injection.
- OpenAI Codex was exploited by multiple researchers during the competition.
- Nvidia Megatron Bridge faced several successful demonstrations.
- LM Studio, Cursor, Claude Code, Chroma, and Ollama also drew researcher attention.
- Some successful attempts were marked as collisions because they used previously known bugs.
Why the AI Results Matter
AI tools often connect to source code, files, cloud services, local runtimes, credentials, and developer workflows. That makes them useful, but it also increases the damage if attackers find a way to abuse them.
The Pwn2Own results show that AI security needs more than model-level safety checks. Vendors also need strong input validation, sandboxing, permission controls, secure plugin handling, dependency review, and fast patching processes.
For enterprises, the results carry a simple message. AI tools should go through the same security review as traditional software, especially when they run locally, connect to internal systems, or process sensitive developer data.
Day Two and Day Three Raised the Stakes
Day Two added $385,750 and 15 unique zero-days, bringing the event total to $908,750 before the final day. Microsoft Exchange, Windows 11, Red Hat Enterprise Linux, Cursor, LM Studio, OpenAI Codex, LiteLLM, Claude Desktop, and other targets all appeared in the results.
The final day pushed the contest past the million-dollar mark. Researchers added $389,500 through eight more unique zero-days, including major results against Windows 11, SharePoint, OpenAI Codex, Red Hat Enterprise Linux, Anthropic Claude Code, and VMware ESXi.
One of the highest-value demonstrations came from STARLabs SG, which used a memory corruption bug to exploit VMware ESXi with a cross-tenant code execution add-on. That attempt earned $200,000 and 20 Master of Pwn points.
Key Takeaways for Users and Enterprises
| Target Area | Security Lesson |
|---|---|
| Browsers | Sandboxing helps, but chained logic bugs can still break isolation. |
| Windows 11 | Privilege escalation flaws remain valuable when paired with other attacks. |
| AI tools | Local inference and coding agents need stricter security controls. |
| Servers | Exchange and SharePoint remain high-value enterprise targets. |
| Virtualization | Cross-tenant attack paths can create major risk in shared environments. |
Pwn2Own contests do not release full exploit details immediately. Vendors receive vulnerability reports through a coordinated disclosure process and normally get time to prepare fixes before technical details become public.
For users, the practical advice remains straightforward. Keep Windows, Edge, browsers, developer tools, AI software, virtualization platforms, and server products updated as soon as patches become available.
For IT teams, the Berlin results should also trigger a closer review of AI tools already running inside the organization. Many companies adopted coding agents and local inference tools quickly, but security policies have not always caught up with that pace.
FAQ
Security researchers demonstrated 47 unique zero-day vulnerabilities across browsers, operating systems, enterprise servers, virtualization platforms, Nvidia tools, and AI software. The event awarded $1,298,250 in total rewards.
Yes. Orange Tsai of DEVCORE chained four logic bugs to achieve a Microsoft Edge sandbox escape on Day One, earning $175,000 and 17.5 Master of Pwn points.
Yes. Researchers demonstrated multiple Windows 11 local privilege escalation exploits during Pwn2Own Berlin 2026, including attempts involving access control and memory-related issues.
AI tools were a major focus because many of them connect to code, files, APIs, credentials, and local execution environments. Successful exploits against tools such as LiteLLM, OpenAI Codex, Cursor, LM Studio, and Claude Code showed that AI software now needs enterprise-grade security controls.
DEVCORE won Master of Pwn with 50.5 points and $505,000 in rewards. STARLabs SG finished second, followed by Out Of Bounds in third place.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages