$1.3M for 47 Zero-Days. Then the Rejected Hackers Started Talking.

Table of contents

The Numbers

Pwn2Own Berlin 2026 wrapped on May 16. Three days. 47 unique zero-day vulnerabilities. $1,298,250 paid out to security researchers. Held at OffensiveCon in Berlin, this was the largest Pwn2Own in the contest's 19-year history.

Windows 11, Microsoft Edge, Microsoft Exchange, Microsoft SharePoint, VMware ESXi, Red Hat Enterprise Linux, NVIDIA Container Toolkit, and multiple AI coding tools all fell on stage. Some in seconds.

But the contest itself is not the story. The story is what happened around it.

The Scoreboard

DEVCORE Research Team dominated. 50.5 Master of Pwn points. $505,000 in total earnings. They hacked Microsoft Edge, Exchange, SharePoint, and Windows 11 across all three days.

STARLabs SG came second with 25 points and $242,500, anchored by a $200,000 VMware ESXi exploit. Out Of Bounds finished third with 12.75 points and $95,750.

Day One: $523,000 for 24 Zero-Days

The first day set the pace. Orange Tsai of DEVCORE chained four separate logic bugs to escape the Microsoft Edge sandbox, earning $175,000. That is the kind of exploit chain that keeps browser security teams awake at night. Sandbox escapes mean an attacker can go from a compromised webpage into the underlying operating system.

Windows 11 was hacked three times by three different teams. Angelboy and TwinkleStar03 from DEVCORE, Marcin Wiazowski, and Kentaro Kawane from GMO Cybersecurity each took $30,000 for separate privilege escalation exploits.

Valentina Palmiotti of IBM X-Force Offensive Research collected $20,000 for rooting Red Hat Linux, then another $50,000 for a zero-day in the NVIDIA Container Toolkit. k3vg3n chained three bugs including SSRF and code injection to compromise LiteLLM, earning $40,000.

Day Two: $385,750 for 15 Zero-Days

Orange Tsai came back. This time he chained three bugs to achieve remote code execution as SYSTEM on Microsoft Exchange. $200,000. 20 Master of Pwn points. The same researcher, two days in a row, dismantling two of Microsoft's most critical products.

Cursor, the AI-powered code editor that half of Silicon Valley now uses for development, was exploited twice. Viettel Cyber Security took $30,000 for their exploit. Compass Security took $15,000. Two independent teams, two independent vulnerability chains, one product.

Sina Kheirkhah of Summoning Team exploited OpenAI Codex for $20,000. Ben Koo of Team DDOS used a use-after-free bug to escalate privileges on Red Hat Enterprise Linux for $10,000.

Day Three: $389,500 for 8 Zero-Days

Nguyen Hoang Thach of STARLabs SG used a memory corruption bug to exploit VMware ESXi with cross-tenant code execution. $200,000. In cloud infrastructure, cross-tenant means an attacker in one virtual machine can reach into another customer's environment. That is the nightmare scenario for every cloud provider.

splitline of DEVCORE chained two bugs to exploit Microsoft SharePoint for $100,000. Satoki Tsuji of Ikotas Labs exploited OpenAI Codex by abusing an external control mechanism for $20,000.

Interrupt Labs and IBM X-Force each earned $50,000 for separate NVIDIA Container Toolkit exploits.

AI Coding Tools: The New Attack Surface

Pwn2Own Berlin 2026 introduced AI tools as an official target category for the first time. The results were immediate.

LiteLLM: hacked on Day One. Cursor: hacked twice on Day Two. OpenAI Codex: hacked on Day Two and again on Day Three.

These are not obscure research projects. LiteLLM is a proxy layer that thousands of companies use to route requests to multiple AI providers. Cursor is the AI coding editor that raised $900 million and has millions of developers using it daily. OpenAI Codex is the code generation engine behind enterprise AI workflows.

Every company that integrated these tools into their development pipeline now has a confirmed attack surface that did not exist two years ago. The vulnerabilities are real, they were demonstrated live, and the vendors now have 90 days to patch before the details go public.

The Overflow

Here is where the story gets interesting.

For the first time in 19 years, Pwn2Own hit a hard submission cap. ZDI, the organization that runs the contest, had to close registration on May 7 because they could not process any more entries. Dozens of working zero-day RCE submissions were rejected. Not because they were invalid. Because there were not enough time slots.

The rejected hackers did not wait quietly.

xchglabs, a security research group, had prepared 86 vulnerabilities across the AI stack targeting systems like NVIDIA, Docker, Linux KVM, and PyTorch. All 86 were rejected from the contest. All 86 are now being disclosed directly to vendors with public writeups.

Other rejected researchers started posting proof-of-concept demos targeting Firefox, NVIDIA, and AI platforms. Some went straight to vendor disclosure. Some went public.

This created a cascading problem for the contestants who did make it into the contest. If a rejected researcher reports a bug and the vendor patches it before the competition, the contestant's exploit becomes a collision. Their months of work become worthless. They get no payout.

Pwn2Own's coordinated disclosure model depends on exclusivity. Researchers find bugs, demonstrate them on stage, and vendors get 90 days to patch. That system works when the contest can absorb every credible submission. It breaks when the overflow spills into the wild.

Why the Overflow Happened

The answer is the same technology that was being hacked on stage.

AI-assisted exploit research is accelerating vulnerability discovery. Researchers are using AI to find bugs, generate fuzzing harnesses, triage crashes, and prepare submissions faster than any previous generation of security tools allowed. Palisade Research reported that AI is helping researchers build exploit chains at speeds that traditional contests cannot match.

The contest that added AI as a target category is being overwhelmed by AI-assisted research. The infrastructure designed to handle human-speed vulnerability discovery cannot keep up with machine-augmented output.

This is not theoretical. xchglabs produced 86 exploitable vulnerabilities for a single contest. That volume would have been extraordinary for an entire year of research from a small team. They did it in the preparation window for one event.

The Irony

Pwn2Own Berlin 2026 demonstrated two things simultaneously.

First: AI coding tools are insecure. Cursor, LiteLLM, and OpenAI Codex all fell on stage. The tools that developers trust to write their code have confirmed vulnerabilities that allow remote code execution, privilege escalation, and data exfiltration.

Second: AI is making the people who find those vulnerabilities faster. So fast that the oldest and most respected vulnerability disclosure contest in the world cannot keep up with the submission volume.

AI is both the target and the weapon. The tools are insecure, and the method for proving they are insecure is accelerating beyond what the industry can process.

The Vendor Clock

Every vendor whose product was exploited on stage now has 90 days before ZDI publishes the full details. Microsoft has patches to ship for Edge, Exchange, SharePoint, and Windows 11. VMware has a cross-tenant ESXi exploit to fix. NVIDIA has Container Toolkit vulnerabilities to address. Cursor, LiteLLM, and OpenAI have AI-specific flaws to remediate.

But the overflow exploits are on a different clock. The rejected researchers are disclosing on their own timeline, directly to vendors and sometimes publicly. There is no 90-day grace period. There is no coordinated schedule.

Security teams at affected companies are now dealing with two parallel disclosure tracks: the official Pwn2Own pipeline and the uncoordinated overflow. The second one is faster, less predictable, and potentially more dangerous.

What This Means

Pwn2Own has been running since 2007. It has never hit capacity before. The fact that it did in 2026, the same year AI tools became an official target, is not a coincidence.

The vulnerability pipeline is getting faster. The discovery tools are getting smarter. The attack surface is getting wider. And the institutions designed to manage responsible disclosure are hitting structural limits.

DEVCORE walked away with half a million dollars. STARLabs took $242,500 for a single VMware exploit. The contest paid $1.3 million total. But outside the contest, 86 vulnerabilities from a single rejected team are now in the disclosure pipeline with no prize money, no stage, and no coordinated timeline.

The biggest hacking contest in history just proved it is not big enough for the era it helped create.

47 zero-days on stage. Dozens more in the overflow. AI tools hacked by AI-augmented researchers. And a 19-year-old system that finally broke under the weight of what it unleashed.

Welcome to the new vulnerability economy.

↓ Download carousel