Twenty-four zero-day vulnerabilities. A single day. $523,000 paid out to the people who found them. That’s Pwn2Own Berlin 2026’s opening act — and if you’re running Windows 11, Microsoft Edge, or any AI infrastructure built on open-source tooling, you were on the target list.
The annual hacking competition, now in its 19th year under Trend Micro’s Zero Day Initiative, landed in Berlin this week with a new twist: an entire category dedicated to AI systems. And what researchers proved on Day 1 is that everything from your browser to your enterprise LLM gateway is one clever exploit chain away from total compromise.
Windows 11 Fell Three Times Before Lunch
Three separate research teams broke into fully-patched Windows 11 systems using three completely different techniques — each earning $30,000 for privilege escalation exploits that Microsoft now has 90 days to fix.
Angelboy and TwinkleStar03 from DEVCORE’s internship program (yes, interns) used an Improper Access Control bug to escalate from a standard user to full system privileges. Marcin Wiązowski achieved the same result through a heap-based buffer overflow — a class of vulnerability that’s been haunting operating systems since the 1990s and apparently still works fine in 2026. And Kentaro Kawane of GMO Cybersecurity chained two use-after-free bugs together for a third successful attack.
Three teams. Three different attack surfaces. Three wins. The implication is brutal: Windows 11’s privilege boundary — the single most important security line between “some rando with a user account” and “full control of your machine” — has at least three holes that existed simultaneously in the wild.
The $175,000 Edge Escape Is the Real Story
The day’s biggest payout went to Orange Tsai of DEVCORE Research Team, who chained four separate logic bugs to achieve something most security researchers consider the holy grail: a full sandbox escape from Microsoft Edge.
Here’s why that matters more than the Windows exploits. Browser sandboxes are supposed to be the last wall between a malicious website and your entire computer. Every time you visit a webpage, your browser runs that site’s code inside a locked box. If the box breaks, visiting the wrong link means game over — full machine compromise, no user interaction required beyond clicking a URL.
Orange Tsai didn’t use some exotic memory corruption technique. He chained logic bugs — flaws in how the code thinks, not how it handles memory. These are notoriously difficult to detect with automated tools because the code is technically running correctly; it’s just running correctly toward the wrong conclusion. Four of them, chained together, for $175,000. That’s either a bargain or an insult, depending on what a nation-state would pay for the same capability.
AI Infrastructure Got Its Own Category — And Immediately Got Destroyed
This year, Pwn2Own added an AI category for the first time. The targets included LiteLLM (a popular open-source LLM gateway used by thousands of companies to route API calls between AI models), NVIDIA’s AI stack, and other enterprise AI infrastructure.
They all fell on Day 1.
The LiteLLM compromise is particularly alarming because it’s a proxy layer — it sits between your application and your AI provider (OpenAI, Anthropic, Cohere, whoever). Compromising it means intercepting every prompt, every response, every API key flowing through the system. For companies using LiteLLM in production, an attacker exploiting this zero-day would have access to the full content of every AI conversation running through their infrastructure.
NVIDIA’s AI systems being compromised is less surprising but no less concerning. As every enterprise piles GPU infrastructure into their stack, the attack surface for AI-specific hardware and software is growing faster than security teams can audit it.
Day 2 Made It Worse: Exchange and Linux Joined the Kill List
By Day 2, researchers had also demonstrated zero-days against Microsoft Exchange and Red Hat Enterprise Linux — meaning the two most common enterprise email and server platforms are also carrying unpatched vulnerabilities. The total payout across both days exceeded $1 million.
Microsoft Exchange exploits are particularly dangerous because Exchange servers typically sit on the network perimeter and handle authentication. A compromised Exchange server often means an attacker can impersonate any employee, read all corporate email, and pivot into internal networks.
The Uncomfortable Math
Pwn2Own pays researchers to find these bugs and disclose them responsibly. The vendors get 90 days to patch. That’s the deal, and it works — in theory.
But here’s the math that should keep CISOs awake: If one competition in one week surfaces 24+ zero-days across Windows, Edge, Exchange, Linux, and AI infrastructure, how many zero-days exist right now that weren’t found by friendlies? The researchers at Pwn2Own are incentivized by $30,000-$175,000 payouts. Nation-state buyers routinely pay $500,000 to $2 million for the same exploits with no disclosure requirement.
The economic incentive structure is broken. Pwn2Own’s total Day 1 payout of $523,000 is less than what a single government broker would pay for Orange Tsai’s Edge chain alone. The only reason responsible disclosure wins is because most researchers are ethical — not because the system pays them fairly.
What This Actually Means for You
If you’re running Windows 11: there are at least three privilege escalation bugs that are now known but unpatched. Microsoft has 90 days from May 13 to ship fixes. Until then, any attacker with initial access to your machine has a proven path to full control.
If you’re using Microsoft Edge: a sandbox escape exists. Visiting a malicious website could compromise your entire system. Consider running an additional layer of isolation (a VM or container) for sensitive browsing until a patch ships.
If you’re running LiteLLM or similar AI gateways in production: audit your exposure immediately. The zero-day demonstrated at Pwn2Own means your AI proxy layer is a viable attack vector right now.
The verdict: Pwn2Own Berlin 2026 didn’t just break records — it proved that the entire modern computing stack, from operating systems to browsers to AI infrastructure, is held together by bugs nobody’s found yet. The $523,000 Day 1 payout is simultaneously the best money the industry ever spent on defense and a rounding error compared to what these exploits are worth on the open market. Sleep tight.
