The results of three days of the Pwn2Own Berlin 2026 competition have been summed up, showcasing successful attacks using 47 previously unknown vulnerabilities (0-day) in various systems such as operating systems, browsers, AI systems, and virtualization platforms. The attacks were carried out using the latest programs and operating systems with all available updates and in the default configuration. For more details, you can visit this link.
The total amount of rewards paid amounted to over $1.2 million US dollars ($1,298,250). The most successful team, DEVCORE, earned 505 thousand US dollars from the competition. The second-place winners, STARLabs SG, received $242 thousand, and the third-place winners, Out Of Bounds, received $95 thousand.
Below are the attacks that were successfully carried out:
- Red Hat Enterprise Linux: 4 successful attacks that allowed privilege escalation to the root user, with participants being rewarded $20,000, $10,000, $7,000, and $5,000 for each exploit.
- Windows 11: 5 successful attacks leading to gaining administrator rights, with participants earning rewards ranging from $30,000 to $7,500.
- VMware ESX: a successful code execution attack on the host side, with a reward of $200,000.
- NV Container Toolkit: 2 successful attacks bypassing container isolation, with rewards of $25,000 and $50,000.
- Microsoft Edge: Remote code execution with sandbox bypass, rewarded with $175,000.
- Microsoft SharePoint: Remote code execution, rewarded with $100,000.
- Microsoft Exchange: Remote code execution with