The Pwn2Own Berlin 2026 contest wrapped up Saturday at OffensiveCon, paying out $1,298,250 for 47 unique zero-days across three days. Taiwan's DEVCORE took the Master of Pwn title with 50.5 points and $505,000 in winnings. The headline Day 3 result came from DEVCORE researcher splitline, who chained two bugs into a successful exploit of Microsoft SharePoint, earning $100,000 and 10 points. SharePoint had survived a failed Rapid7 attempt on Day 2, making this a notable late-contest catch. Day 3 also saw attempts against VMware ESXi, Windows 11, Red Hat Enterprise Linux, and OpenAI Codex. All disclosed bugs now enter ZDI's 90-day disclosure window.
The second day of Pwn2Own Berlin 2026 added $385,750 across 15 unique zero-days, bringing the running total to $908,750 across 39 zero-days. The headline was Orange Tsai of DEVCORE chaining three bugs to gain SYSTEM-level remote code execution on Microsoft Exchange Server, taking the $200,000 top prize and pushing his event total past $375,000. Other day-two wins included a Windows 11 integer-overflow LPE, a Red Hat Enterprise Linux for Workstations root, a use-after-free in NVIDIA Container Toolkit, and AI-category exploits against LM Studio, Cursor, OpenAI Codex, and Anthropic Claude Desktop (the last as a collision with a previously known bug).
Day one of the Pwn2Own Berlin 2026 hacking contest at OffensiveCon paid out 523,000 dollars across 24 unique zero-days, with Trend Micro's Zero Day Initiative reporting wins against fully patched Microsoft Edge, Windows 11, Red Hat Enterprise Linux for Workstations, NVIDIA Container Toolkit and Megatron Bridge, OpenAI Codex, and LiteLLM. Orange Tsai's four-bug logic chain that escaped the Edge sandbox took the biggest single prize at 175,000 dollars. An Anthropic Claude Code entry was ruled a collision (the bug was already known to the vendor). Each affected vendor now has 90 days to ship a fix before ZDI publishes technical details.