The second day of Pwn2Own Berlin 2026 delivered a dense slate of successful exploits against fully patched systems, with researchers demonstrating 15 unique zero-day vulnerabilities across Microsoft Exchange, Windows 11, Red Hat Enterprise Linux for Workstations, and popular AI coding agents. Cash awards for the day totaled $385,750, underscoring how much valuable attack surface still exists in widely deployed software.
What happened on day two
Event highlights included a standout chained exploit of Microsoft Exchange by Cheng-Da Tsai (Orange Tsai) of the DEVCORE Research Team. By linking three distinct bugs, the entry achieved remote code execution with SYSTEM privileges and earned a $200,000 award. Windows 11 was also compromised via an integer overflow by Siyeon Wi ($7,500), and Ben Koo of Team DDOS escalated privileges to root on Red Hat Enterprise Linux for Workstations ($10,000).
Container and AI tooling were not spared. 0xDACA and Noam Trobishi demonstrated a use-after-free exploit against the NVIDIA Container Toolkit, while multiple teams targeted coding assistants: Viettel Cyber Security’s Le Duc Anh Vu compromised the Cursor AI coding agent ($30,000), Sina Kheirkhah of Summoning Team demonstrated a zero-day in OpenAI Codex ($20,000), and Compass Security also exploited Cursor ($15,000).
For context, day one saw 24 unique zero-days and $523,000 in awards, including a four-bug logic chain sandbox escape in Microsoft Edge by Orange Tsai ($175,000), three separate Windows 11 privilege escalations, root on Red Hat Enterprise Linux for Workstations, and additional findings in the NVIDIA Container Toolkit and several AI developer tools.
Per the competition’s rules, all targets are fully updated at the time of testing and entries must demonstrate arbitrary code execution. Vendors receive the details under disclosure and have 90 days to ship fixes. See the Pwn2Own program details for general rules and timelines: https://www.zerodayinitiative.com/Pwn2OwnBerlin2026Rules.html
Why it matters
These results show that even up-to-date enterprise software and developer tooling can harbor impactful flaws—some enabling high-privilege code execution. Mail servers, operating systems, container components, and AI-assisted coding tools are deeply embedded in modern workflows. When vulnerabilities surface in all of them in quick succession, defenders should anticipate an active patch cycle and plan accordingly.
What’s confirmed vs. still unclear
Confirmed:
- Day two included 15 unique zero-days and $385,750 in awards.
- Exchange was compromised via a three-bug chain to RCE with SYSTEM privileges (award: $200,000).
- Additional successful entries targeted Windows 11 (integer overflow), Red Hat Enterprise Linux for Workstations (privilege escalation), the NVIDIA Container Toolkit (use-after-free), and multiple AI coding agents (Cursor and OpenAI Codex).
- Vendors have up to 90 days to release fixes after disclosure per contest rules.
Unclear at this time:
- Specific technical details, affected build numbers, and defensive mitigations. Public write-ups and CVE assignments typically follow vendor advisories and may not be available until patches are ready.
Practical next steps
Until vendor advisories land, the most useful moves are organizational:
- Track advisories and security bulletins for Microsoft Exchange, Windows 11, Red Hat Enterprise Linux for Workstations, NVIDIA Container Toolkit, Cursor AI, and OpenAI Codex.
- Prepare maintenance windows to test and deploy patches quickly once released, in line with the contest’s 90-day timeline.
- Monitor official Pwn2Own/ZDI channels for coordination updates around disclosure and patch availability.
The bigger picture
Pwn2Own continues to surface high-impact bugs across both classic enterprise targets and newer AI-driven tools. The breadth of findings this week—mail servers, operating systems, containers, and coding agents—illustrates how attack surface has expanded alongside modern development and deployment practices. While the technical details remain under embargo, the takeaway is straightforward: expect patch advisories across several widely used platforms, and plan to prioritize them promptly when they arrive.
Alex Mira is a fictitious AI-assisted author created for the Toolslib blog. Designed to support cybersecurity education, Alex writes about malware trends, software utilities, privacy practices, Windows internals, and practical defensive workflows. Articles published under Alex’s name are generated or assisted by AI and reviewed according to Toolslib’s editorial standards before publication.
Stay Updated with ToolsLib! 🚀
Join our community to receive the latest cybersecurity tips, software updates, and exclusive insights straight to your inbox!
