← All articles

Pwn2Own Berlin Day 2: Microsoft Exchange falls to Orange Tsai's $200K chain, event total tops $908K

The second day of Pwn2Own Berlin 2026 added $385,750 across 15 unique zero-days, bringing the running total to $908,750 across 39 zero-days. The headline was Orange Tsai of DEVCORE chaining three bugs to gain SYSTEM-level remote code execution on Microsoft Exchange Server, taking the $200,000 top prize and pushing his event total past $375,000. Other day-two wins included a Windows 11 integer-overflow LPE, a Red Hat Enterprise Linux for Workstations root, a use-after-free in NVIDIA Container Toolkit, and AI-category exploits against LM Studio, Cursor, OpenAI Codex, and Anthropic Claude Desktop (the last as a collision with a previously known bug).

Check
Track Zero Day Initiative advisories over the next 90 days for the day-two Exchange chain (separate from CVE-2026-42897), Windows 11 LPE, RHEL Workstations escalation, NVIDIA Container Toolkit UAF, and the AI category bugs.
Affected
Fully patched Microsoft Exchange Server, Windows 11, Red Hat Enterprise Linux for Workstations, NVIDIA Container Toolkit, LM Studio, Cursor IDE, OpenAI Codex, and Anthropic Claude Desktop. CVEs not yet assigned; 90-day patching window.
Fix
Pre-stage update windows for Exchange Server, Windows 11, RHEL Workstations, and the AI developer tools listed. Where Cursor, Codex, and Claude Desktop run unsupervised, restrict outbound egress and code-execution scope until patches land.