Researchers earned more than half a million dollars on the opening day of Pwn2Own Berlin 2026 after successfully demonstrating 24 previously unknown vulnerabilities across AI platforms, NVIDIA software, Windows 11, Linux systems, and developer tools.
The first day of the hacking competition saw $523,000 awarded in prizes, with DEVCORE taking an early lead in the “Master of Pwn” rankings.
Organized by Trend Micro’s Zero Day Initiative (ZDI), Pwn2Own has become one of the security industry’s most closely watched competitions, bringing together elite researchers to uncover exploitable flaws in widely used products before attackers can weaponize them. This year’s Berlin event introduced several AI-focused categories, including AI databases, coding agents, local inference tools, and NVIDIA AI infrastructure products, reflecting the growing attack surface surrounding generative AI ecosystems.
One of the largest payouts of the day went to renowned researcher Orange Tsai of the DEVCORE Research Team, who chained together four logic vulnerabilities to escape the Microsoft Edge sandbox. The exploit earned Tsai $175,000 and 17.5 Master of Pwn points, making it the highest-value demonstration of Day One.
DEVCORE also secured another successful entry when researchers Angelboy and TwinkleStar03 exploited an improper access control flaw to escalate privileges on Microsoft Windows 11, earning an additional $30,000.
k3vg3n chained together three flaws, including server-side request forgery (SSRF) and code injection vulnerabilities, to compromise LiteLLM, a popular framework for managing and proxying requests to large language models. The exploit earned $40,000.
LM Studio, a widely used local AI inference application that allows users to run large language models on personal hardware, was also breached. Researchers Billy, Pan Zhenpeng, and Weiming Shi of STARLabs SG chained five bugs, including SSRF and code injection flaws, to achieve a full compromise and collect $40,000.
Satoki Tsuji of Ikotas Labs exploited NVIDIA Megatron Bridge using an overly permissive allow-list issue, while Yoseop Kim later demonstrated another successful attack against the same platform using a CWE-470 flaw. Out Of Bounds researcher haehae also compromised Megatron Bridge using a path traversal vulnerability in a second-round attempt. NVIDIA’s Megatron Bridge is part of the company’s AI infrastructure stack designed to help organizations train and deploy large-scale language models.
IBM X-Force Offensive Research researcher Chompie successfully exploited the NVIDIA Container Toolkit using a single vulnerability, earning $50,000. The toolkit is widely deployed in AI and GPU-accelerated container environments, making software vulnerabilities particularly significant for cloud and enterprise deployments. Chompie later returned to the stage to exploit a race condition vulnerability for privilege escalation on Red Hat Enterprise Linux for Workstations.
ZDI
Compass Security researchers exploited the product using a CWE-150 flaw, earning $40,000.
Other successful demonstrations included multiple Windows 11 privilege escalation exploits. Marcin Wiązowski exploited a heap-based buffer overflow flaw, while Kentaro Kawane of GMO Cybersecurity by Ierae chained two use-after-free vulnerabilities to gain elevated privileges on Microsoft’s operating system.
The competition also saw several failures and withdrawals involving the NVIDIA Container Toolkit, Oracle Autonomous AI Database, Firefox renderer, and Firefox and LM Studio.
Overall, many of the demonstrated attacks relied on logic flaws, unsafe access controls, path traversal issues, and code injection vulnerabilities rather than traditional memory corruption bugs alone.
All vulnerabilities demonstrated during Pwn2Own are disclosed privately to affected vendors under coordinated disclosure rules, giving companies time to develop and release patches before technical details become public. Researchers are prohibited from sharing exploit specifics until vendors have addressed the flaws.
Leave a Reply