Security researchers collected $523,000 on the opening day of Pwn2Own Berlin 2026 by demonstrating 24 previously unknown vulnerabilities across AI tools, Windows 11, Microsoft Edge, and Red Hat Linux. The session on May 13 marked a significant expansion of the contest’s AI category: for the first time, Pwn2Own fielded a full track spanning AI databases, coding agents, and local inference engines with substantial prize money attached. While a limited AI category debuted at Pwn2Own Vancouver in 2024, Berlin 2026 represented the first time these broader AI sub-categories were targeted and successfully exploited on stage. The results put pressure on vendors to patch a wave of newly disclosed flaws across software that millions of people and businesses rely on daily.
What Pwn2Own is and why it matters
Pwn2Own is a live hacking competition organized by Trend Micro’s Zero Day Initiative (ZDI). Researchers attempt to compromise fully patched, widely used software in front of judges. If they succeed, they earn cash prizes and the vendor receives a private report detailing the flaw. The vendor then has 90 days to ship a patch before ZDI publishes technical details. The format turns vulnerability research into a structured, time-bound process that benefits both researchers and the companies whose products are tested.
Day one by the numbers
Twenty-two entries took the stage across categories that included AI databases, AI coding agents, local inference tools, web browsers, and operating systems, according to ZDI’s official results post. Those 22 attempts produced 24 distinct zero-day vulnerabilities, a count that exceeds the number of entries because some exploit chains relied on multiple independent bugs to reach their target.
Windows 11 and Microsoft Edge both fell to separate exploit chains, continuing a long pattern of Microsoft products drawing researcher attention at Pwn2Own. Red Hat Linux was also compromised. Among the AI targets, the proxy tool LiteLLM was successfully exploited according to SecurityAffairs, a secondary outlet covering the event. That result underscores how quickly AI infrastructure software has moved from experimental deployment to real-world attack surface.
Independent reporting from BleepingComputer and a Threads post from the conference floor corroborated the headline figures and confirmed that AI categories dominated the day’s schedule.
Why the expanded AI category changes the game
Pwn2Own Vancouver 2024 introduced a limited AI category, and payouts were made in that edition. Berlin 2026, however, is the first time the contest fielded a full-scale AI track spanning databases, coding agents, and local inference engines, with significant prize money on the line. The expansion reflects a broader industry shift: enterprises are deploying AI tools into production environments at speed, often without the same security scrutiny applied to operating systems or browsers.
The attack surfaces in AI software range from prompt injection and model manipulation to conventional memory corruption bugs buried inside inference engines. That 22 entries targeted AI-related products on a single day signals that the security research community sees these tools as both vulnerable and valuable. It does not, however, guarantee that vendors will respond with the same urgency they bring to browser or OS patches. AI tooling maintainers, many of them open-source projects with small teams, face a steeper challenge in turning around fixes within the 90-day window.
What has not been confirmed
ZDI’s official post listed categories and the aggregate payout but did not publish full vulnerability write-ups, which is standard practice during the disclosure window. Several details circulating in secondary coverage remain unverified against primary sources:
- Specific exploit techniques: Descriptions of individual attack chains, including references to GPU-level bypasses, have appeared in news reports but not in ZDI’s own documentation.
- Researcher identities and per-exploit payouts: Some outlets have named specific teams, but those attributions have not been corroborated by the official results page as of mid-May 2026.
- Vendor patch timelines: Neither Microsoft, Red Hat, nor LiteLLM’s maintainers have publicly committed to specific release dates. Past Pwn2Own cycles have seen patches arrive anywhere from a few weeks to the full 90 days.
The contest still has additional competition days ahead, so the final payout and zero-day count will grow. Day-one figures represent the opening chapter, not the full story.
What security teams should do now
For organizations running any of the affected products, the response is straightforward but time-sensitive. Security teams should inventory which of the targeted tools are active in their environments and subscribe to vendor security advisories for those products. When patches ship over the coming weeks, prioritizing their deployment will be the most direct way to reduce exposure.
It is also worth treating early technical commentary with caution. Exploit-chain descriptions often shift once ZDI and vendors release full advisories, and some supposed new classes of AI vulnerabilities may turn out to be familiar bugs repackaged in unfamiliar software. Strategy should be built on confirmed vulnerability patterns, not on unverified conference-floor anecdotes.
AI software enters the proven-target era at Pwn2Own
The opening day of Pwn2Own Berlin 2026 settled a question that had been building since the limited AI category appeared in 2024: skilled researchers can reliably find and exploit serious flaws in a broad range of AI platforms under contest conditions, just as they have done with browsers and operating systems for years. The 24 zero-days and $523,000 in payouts are not abstractions. They represent real vulnerabilities in software that enterprises are deploying right now. As the remaining competition days unfold through mid-May 2026, the total count will climb, but the first session already delivered the sharpest signal yet that AI security is no longer a future problem. It is a current one.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
