Full Report
On the first day of Pwn2Own Berlin 2026, security researchers collected $523,000 in cash awards after exploiting 24 unique zero-days. [...]
Analysis Summary
# Vulnerability: Pwn2Own Berlin 2026 Day One Multi-Platform Zero-Day Exploits
## CVE Details
- **CVE ID:** Pending (Zero-day vulnerabilities; IDs are typically assigned after vendor disclosure)
- **CVSS Score:** N/A (Estimated Critical/High based on impact)
- **CWE:** Included Logic Bugs, Privilege Escalation, and Sandbox Escapes.
## Affected Systems
- **Products:**
- Microsoft Edge
- Microsoft Windows 11
- Red Hat Linux for Workstations
- NVIDIA Container Toolkit
- NVIDIA Megatron Bridge
- OpenAI Codex (Coding Agent)
- LiteLLM
- Chroma
- LM Studio
- **Versions:** All products were tested in their "fully patched" or latest stable configurations as of May 14, 2026.
- **Configurations:** Default enterprise and workstation installations.
## Vulnerability Description
Multiple high-impact vulnerabilities were demonstrated, including:
1. **Microsoft Edge Sandbox Escape:** Achieved by chaining four unique logic bugs to break out of the browser's restricted environment.
2. **Windows 11 Privilege Escalation:** Three distinct zero-days allowing local users to gain elevated system privileges.
3. **Linux Kernel/System Level:** A "rooting" exploit against Red Hat Linux for Workstations.
4. **AI/Container Security:** Zero-days in NVIDIA's Container Toolkit and various Large Language Model (LLM) operations tools (LiteLLM, Chroma, LM Studio) allowing for unauthorized access or code execution.
## Exploitation
- **Status:** PoC available (demonstrated live by researchers; details shared privately with vendors).
- **Complexity:** Medium to High (Many involved complex exploit chains).
- **Attack Vector:** Network (Edge/LLM targets) and Local (Windows/Linux privilege escalations).
## Impact
- **Confidentiality:** High (Total system access/Data extraction)
- **Integrity:** High (Full system control/Privilege escalation)
- **Availability:** High (Ability to crash or take down services like LiteLLM)
## Remediation
### Patches
- **Currently Unavailable:** Vendors have been granted a **90-day disclosure window** from the date of the competition (May 14, 2026) to issue official patches before technical details are made public.
### Workarounds
- **General Hardening:** Minimize the attack surface of AI development tools and LLM agents.
- **Restricted Access:** Limit local access to Windows 11 and Red Hat workstations to trusted users only to mitigate privilege escalation risks.
- **Network Segmentation:** Isolate containerized environments and LLM infrastructure (LiteLLM/Codex) from critical internal networks.
## Detection
- **Indicators of Compromise:** Unusual child processes spawning from `msedge.exe` (indicative of sandbox escape) or unauthorized calls to `sudo` or hardware-level drivers in Linux/NVIDIA environments.
- **Detection Methods:** Monitor for unexpected privilege alterations and utilize behavioral analysis tools to identify non-standard logic flow in enterprise applications.
## References
- Trend Micro Zero Day Initiative: hxxps[://]www[.]zerodayinitiative[.]com/blog/2026/3/11/announcing-pwn2own-berlin-for-2026
- Bleeping Computer Report: hxxps[://]www[.]bleepingcomputer[.]com/news/security/windows-11-and-microsoft-edge-hacked-on-first-day-of-pwn2own-berlin-2026/
- Pwn2Own Official Rules: hxxps[://]www[.]zerodayinitiative[.]com/Pwn2OwnBerlin2026Rules[.]html