The Pwn2Own Berlin 2026 hacking contest has concluded, with safety researchers accumulating $1,298,250 in rewards after exploiting 47 zero-day flaws.
The contest happened on the OffensiveCon convention from Would possibly 14 to Would possibly 16 and serious about endeavor applied sciences and synthetic intelligence.
Right through the competition, the hackers focused absolutely patched merchandise throughout internet browsers, endeavor programs, native privilege escalation, servers, native inference, cloud-native/container environments, virtualization, and LLM classes.
Competition amassed $523,000 in money awards at the first day for twenty-four distinctive zero-days, and every other $385,750 on the second one day for exploiting 15 zero-days. At the 3rd day of Pwn2Own, they earned every other $389,500 for 8 extra zero-days.
DEVCORE gained this yr’s version of Pwn2Own Berlin with 50.5 Grasp of Pwn issues and $505,000 in rewards right through the three-day contest after hacking Microsoft SharePoint, Microsoft Trade, Microsoft Edge, and Home windows 11, adopted through STARLabs SG with $242,500 (25 issues) and Out Of Bounds with $95,750 (12.75 issues).
The contest’s very best praise used to be $200,000, awarded to Cheng-Da Tsai (sometimes called Orange Tsai) of the DEVCORE Analysis Crew after chaining 3 insects to achieve far off code execution with SYSTEM privileges on Microsoft Trade.
At the first day, Orange Tsai earned every other $175,000 for a Microsoft Edge sandbox get away chaining 4 good judgment insects, Home windows 11 used to be hacked three times, and Valentina Palmiotti (chompie) of IBM X-Pressure Offensive Analysis amassed $70,000 for rooting Crimson Hat Linux for Workstations and an NVIDIA Container Toolkit zero-day.
On the second one day, the hackers demonstrated every other Home windows 11 native privilege escalation vulnerability, a root-privilege escalation vulnerability in Crimson Hat Undertaking Linux for Workstations, and zero-days in a couple of AI coding brokers.
At the 3rd and ultimate day of the competition, the competition hacked Home windows 11 and Crimson Hat Undertaking Linux for Workstations once more, and used a reminiscence corruption computer virus to take advantage of VMware ESXi.
After Pwn2Own ends, distributors have 90 days to free up safety patches sooner than TrendMicro’s 0 Day Initiative (ZDI) publicly discloses them.
All over remaining yr’s Pwn2Own Berlin contest, gained through the STAR Labs SG group, ZDI awarded 1,078,750 for 29 zero-day flaws and a few computer virus collisions.
Computerized pentesting equipment ship actual worth, however they had been constructed to respond to one query: can an attacker transfer throughout the community? They weren’t constructed to check whether or not your controls block threats, your detection regulations fireplace, or your cloud configs dangle.
This information covers the 6 surfaces you in reality wish to validate.
Obtain Now
