Pwn2Own Berlin 2026 commenced with a notable wave of zero-day exploits targeting leading browsers, operating systems, and AI advancements. On its opening day, cybersecurity experts succeeded in breaching Microsoft Edge, Windows 11, and LiteLLM, amassing $523,000 in rewards for unveiling 24 distinct vulnerabilities.
This event underscores the rising threat landscape where AI systems and central enterprise technologies are increasingly susceptible to intricate, chained cyberattacks.
Microsoft Edge Sandbox Breach
One of the most remarkable demonstrations was performed by Orange Tsai from the DEVCORE Research Team, who successfully carried out a sophisticated sandbox escape on Microsoft Edge. This exploit ingeniously combined four separate logic vulnerabilities, escalating minor defects into a complete system breach.
The intricate nature of this attack, which secured $175,000 and 17.5 Master of Pwn points, highlights how even fortified browser security can be compromised through a strategic combination of multiple weaknesses.
Windows 11 Security Challenges
Microsoft Windows 11 also emerged as a significant target, with multiple successful privilege escalation attacks reported throughout the day. Security researchers showcased several methods using heap-based buffer overflows and improper access control flaws to achieve heightened privileges.
These breaches demonstrate that even well-established operating systems remain vulnerable to memory corruption and access control issues, as evidenced by the persistent exploitation methods employed by participants like Angelboy and TwinkleStar03 of DEVCORE.
AI Platforms Under Siege
The scrutiny extended to AI infrastructures, with LiteLLM falling to a comprehensive exploit by researcher k3vg3n, who melded three vulnerabilities, including Server-Side Request Forgery (SSRF) and code injection, to achieve full system takeover.
This incident, which earned a $40,000 reward, underscores the critical security gaps that can arise in AI frameworks, particularly those handling external inputs and APIs, if not adequately fortified.
Other AI-focused targets were also compromised, with Compass Security exploiting OpenAI Codex through a CWE-150 flaw, and NVIDIA’s Megatron Bridge suffering breaches due to permissive allow lists and path-traversal vulnerabilities. IBM X-Force researchers further demonstrated the fragility of developer tools by exploiting a bug in the NV Container Toolkit.
Despite these successes, not all attempts succeeded, with some researchers unable to exploit certain targets like the OpenAI Codex within the allotted time. Additionally, numerous exploits relied on previously known vulnerabilities, highlighting the ongoing challenge of timely patching by organizations.
As Pwn2Own Berlin 2026 progresses, it becomes clear that the focus of attackers is shifting beyond traditional software to AI platforms, inference engines, and developer tools. With DEVCORE leading the charge, the event promises to reveal deeper vulnerabilities, serving as a critical alert to vendors and enterprises.
