Pwn2Own Berlin 2026 is over. The final totals came in at $1,298,250 awarded for 47 unique zero-day vulnerabilities across three days of competition. DEVCORE claimed the title of Master of Pwn with a commanding 50.5 points and $505,000. STARLabs SG finished second with 25 points and $242,500, followed by Out Of Bounds in third with 12.75 points and $95,750.
ZDI, which runs the contest on behalf of Trend Micro, did not understate the result. “Congrats to DEVCORE for claiming Master of Pwn with 50.5 points and $505,000 — they never slowed down,” ZDI posted on X at the close of the event.
SPB covered the event from the moment it overflowed its own registration, and day two when Orange Tsai earned $200,000 for a slick Exchange exploit.
ESXi: memory corruption, tenant boundary crossed, $200K earned
The single most technically significant result of the entire weekend did not come from DEVCORE. It came on the final day from STARLabs SG. Nguyen Hoang Thach (@hi_im_d4rkn3ss) of STARLabs SG used a memory corruption bug to exploit VMware ESXi with the cross-tenant code execution add-on, earning $200,000 and 20 Master of Pwn points.
For practitioners outside the virtualization world: a hypervisor escape means a researcher broke out of the contained virtual machine environment and executed code on the underlying host. The cross-tenant add-on goes a step further — it means that code crossed from one virtual machine’s environment into another tenant’s isolated space.
In a shared cloud or data center environment, that class of vulnerability means one customer’s workload could potentially reach another’s. VMware was present at the event and had noted beforehand that Pwn2Own participants could earn up to $200,000 for ESXi exploits — a signal that the vendor was watching the category closely.
Giuseppe Calì of Summoning Team could not get his ESXi exploit working within the time allotted, leaving STARLabs as the only team to claim the hypervisor prize.
DEVCORE did not arrive at Day 3 to coast. splitline (@splitline) of DEVCORE Research Team chained two bugs to exploit Microsoft SharePoint, earning $100,000 and 10 Master of Pwn points.
That result closed a loop that had been open since Day 2, when Stephen Fewer of Rapid7 failed to exploit SharePoint within the time limit. DEVCORE went back to the same target on the final day and finished it. Across the full event, DEVCORE earned $200,000 for the Exchange RCE, $175,000 for the Edge sandbox escape, and $100,000 for the SharePoint chain — three of the four largest individual payouts of the competition.
[Related: See Security Point Break’s full day two coverage. & See Security Point Break’s full day one coverage.]
OpenAI Codex: popped three times, three different ways
The AI category story of the week was not any single exploit — it was a pattern. OpenAI Codex, already compromised twice on Day 1, took another hit on the final day. Satoki Tsuji of Ikotas Labs abused an external control vulnerability to exploit the platform and demonstrate code execution, earning $20,000 and 4 Master of Pwn points. Codex was successfully exploited three separate times across the competition by three different researchers — a pattern that should prompt serious reflection inside OpenAI’s security organization. Each exploit used a different technique, meaning the attack surface is not a single narrow flaw but something broader.
Three independent teams, three different vulnerability classes, one product. That is not a targeted campaign — it is a broad and immature attack surface. Anthropic’s Claude Code was also hit twice across Days 2 and 3, though both results were collisions — meaning the underlying bugs had already been identified by the vendor prior to disclosure.
Collision rate: the quiet signal the AI industry should read
The collision problem at this year’s event went well beyond any single target. Compass Security targeted Anthropic Claude Code on Day 3, hitting a one-vulnerability collision with a previous attempt, earning $20,000 and 2 Master of Pwn points. Out Of Bounds’ Byung Young Yi also successfully demonstrated an exploit of Anthropic Claude Code on Day 3, but the bug had been previously disclosed. On Day 2, Sina Kheirkhah of Summoning Team hit a similar collision on Claude Desktop, earning partial credit for a bug the vendor had already identified.
Three separate collision events across Claude-related targets in a single contest tells you two things simultaneously: Anthropic’s security team is finding bugs before external researchers do, and the volume of independent research focused on AI coding agents is high enough that multiple teams are converging on the same vulnerabilities. Both of those things are true at once.
The rest of Day 3
Sina Kheirkhah of Summoning Team used two bugs to exploit Red Hat Linux, but one was previously known, earning $7,000 and 1.5 Master of Pwn points. Le Tran Hai Tung, dungnm and hieuvd of Viettel Cyber Security used an integer overflow to escalate privileges on Windows 11 in the fifth round, earning $7,500 and 3 Master of Pwn points. Hyunwoo Kim (@v4bel) chained a use-after-free and uninitialized memory bug to escalate privileges on Red Hat Enterprise Linux for Workstations in the fourth round, earning $5,000 and 2 Master of Pwn points.
Three days, by the numbers
Competitors collected $523,000 on Day 1 for 24 unique zero-days, another $385,750 on Day 2 for 15 zero-days, and $389,500 on Day 3 for eight more zero-days. The $1,298,250 final total surpasses Berlin 2025’s $1,078,750 payout for 29 zero-days — more money and significantly more unique findings. Windows 11 was exploited successfully multiple times across all three days by multiple independent teams, each using a different vulnerability, becoming one of the most targeted and most compromised systems in Berlin. securitypointbreak.
Under Pwn2Own rules, all vendors receive technical reports and have 90 days to release patches before ZDI publicly discloses the vulnerability details.
Patch window open: 47 bugs, 90 days
At the end of three days, the scoreboard is only half the story. Every one of the 47 zero-days demonstrated this week now sits in vendor inboxes. The 90-day clock is running on patches for Exchange, SharePoint, VMware ESXi, Windows 11, Red Hat Linux, OpenAI Codex, and a long list of AI inference tools. Organizations running any of those products should monitor vendor security advisories over the coming months. ZDI advisories are tracked by Trend Micro here.
See Security Point Break’s full day two coverage. & See Security Point Break’s full day one coverage.
