Security researchers dismantled modern attack surfaces on the first day of Pwn2Own Berlin 2026, exploiting zero-day vulnerabilities in Microsoft Edge, Windows 11, and a suite of enterprise AI and GPU tools. Held on May 14, 2026, the contest awarded over $800,000 in bounties as teams chained sophisticated flaws across browsers, operating systems, and machine learning platforms. The results expose widening security gaps as organizations accelerate AI adoption and rely on hardware-accelerated compute.

Pwn2Own, organized by Trend Micro’s Zero Day Initiative (ZDI), is the world’s toughest vulnerability discovery contest. Unlike static bug bounties, it demands a full exploit chain against fully patched targets within a 30-minute time limit. That pressure often yields the kind of zero-day chains that real attackers covet. Berlin 2026 was no exception.

The event targeted seven categories: web browsers, operating systems, enterprise communication, AI/ML platforms, GPU software, container orchestration, and automotive systems. Entrants chose from a curated target list including Microsoft Edge (Chromium) on Windows 11 24H2, Windows 11 with all June 2026 patches, LiteLLM 1.50.0, NVIDIA CUDA Toolkit 12.8, Red Hat Enterprise Linux 10, and Tesla’s latest over-the-air update. Each successful demonstration forced vendors to scramble for emergency patches.

Microsoft Edge Falls to RCE via JavaScript JIT Bug

The opening salvo came from Team Orca of Sea Security, who compromised Microsoft Edge (version 132.0.2957.110) on Windows 11 24H2 using a two-bug chain. The primary vulnerability—a type confusion flaw in Edge’s JavaScript JIT compiler—gave attackers arbitrary code execution within the browser’s sandbox. A secondary exploit leveraged an elevation-of-privilege bug in the Windows 11 kernel to escape the sandbox and execute code as SYSTEM.

The sandbox escape relied on a race condition in the Windows DirectComposition component (win32kbase.sys). ZDI confirmed the bugs as CVE-2026-12834 and CVE-2026-12835, both with a CVSS score of 8.8. Microsoft acknowledged the submission and plans to ship fixes in the July 2026 Patch Tuesday. For users, the practical impact is stark: visiting a malicious website could grant an attacker full control of an enterprise workstation with no user interaction beyond browsing.

Sea Security earned $160,000 for the chain—$80,000 for the browser RCE and an equal bonus for the sandbox escape. The team told ZDI they had reverse-engineered the JIT optimization pipeline over six weeks, pinpointing a flawed bounds check in the TurboFan compilation phase.

Windows 11 Kernel Compromised via Zero-Day TOCTOU

Separately, a solo researcher known as 0xhexagon demonstrated a local privilege escalation directly on Windows 11 24H2 Build 26100.3205. The exploit leveraged a time-of-check-time-of-use (TOCTOU) bug in the Windows Defender Application Control driver (wdacdeploy.dll), allowing a low-privileged process to inject code into a protected process. From there, a straightforward token-stealing technique yielded SYSTEM access.

Microsoft assigned this vulnerability CVE-2026-12836 (CVSS 7.8). The flaw is especially dangerous in enterprise environments where attackers might first gain a foothold via a phishing email or malicious SVG file, then escalate to full domain compromise within minutes. 0xhexagon pocketed $40,000. The researcher noted that the bug had existed since the 24H2 feature update shipped in late 2024, escaping detection during two Patch Tuesday cycles. Microsoft’s security response acknowledged the report and is developing a fix via the standard coordinated disclosure timeline.

All Four AI/GPU Targets Pwned

For the first time, Pwn2Own introduced an AI/ML platform category, and every target fell. LiteLLM, an open-source proxy used by over 50,000 enterprises to interface with large language models, was compromised three times by different teams. Two exploits achieved remote code execution via server-side request forgery (SSRF) in LiteLLM’s model routing logic (CVE-2026-12837, CVE-2026-12838). A third chained an authentication bypass with an XML External Entity (XXE) injection to exfiltrate API keys and session tokens.

The most alarming demonstration targeted NVIDIA’s CUDA Toolkit 12.8. Team Reverie exploited a heap overflow in the NVVM compiler (nvvmCompileProgram) when parsing malicious PTX code. By crafting a poisoned dataset, an attacker could compromise the GPU driver and gain kernel-mode code execution on the host. NVIDIA confirmed the vulnerability (CVE-2026-12839) and will release a security update for all supported driver branches.

Another standout entry came from Flashback Security, who exploited a deserialization vulnerability in Red Hat Enterprise Linux 10’s default Python 3.13 installation. The attack used a malicious pickle payload delivered via a Jupyter notebook server, achieving root access. Red Hat patched the issue within 72 hours—a record for Pwn2Own—as CVE-2026-12840.

Ripple Effects Across the Ecosystem

The LiteLLM vulnerabilities have the broadest blast radius. The proxy integrates with over 100 LLM providers, including Azure OpenAI, Anthropic, and Cohere. A compromised instance could intercept every prompt and response, leaking proprietary data or manipulating model outputs. Orca’s successful RCE against the tool particularly rattled attendees: the exploit required only a single HTTP request to a public-facing LiteLLM endpoint.

ZDI’s Dustin Childs noted the trend: “AI infrastructure is the new frontier for attackers. These tools handle enormous amounts of sensitive data yet often lack mature security hardening. We saw the same pattern a decade ago with web frameworks, and now we’re seeing it with model gateways and GPU compilers.”

NVIDIA’s case underscores the GPU-as-attack-vector reality. As organizations deploy AI workloads on shared hardware, a vulnerability in the CUDA toolchain could allow cross-tenant escapes in cloud environments. Security researchers have long warned that GPU drivers and compilers are under-scrutinized; Pwn2Own 2026 proved them right.

Patch Status and What to Do Now

The coordinated disclosure process means patches for most vulnerabilities will arrive throughout June and July 2026. Microsoft’s fixes will land on July 14 (Patch Tuesday). Administrators should apply updates immediately. For LiteLLM, users should upgrade to version 1.50.1 or later, already available on GitHub. NVIDIA expects to release driver version 555.76 or later by June 30. Red Hat users should ensure they have the latest Python security update (python3-3.13.2-2.el10).

In the interim, mitigations exist:
- For Edge, enable enhanced security mode (edge://settings/privacy) and disable JIT in sensitive environments via Group Policy.
- For Windows 11, restrict local administrative privileges and enable Microsoft Defender’s controlled folder access.
- For LiteLLM, place the proxy behind authentication middleware and audit its outbound connectivity.
- For CUDA, restrict local access to GPU-capable users and apply compiler hardening flags where possible.

Broader Implications

Pwn2Own Berlin 2026 demonstrated that the boundary between AI tooling and traditional infrastructure is porous. Exploits that once targeted browsers and PDF readers are now equally effective against model routers and GPU compilers. The event also highlighted the persistent fragility of browser sandboxes: despite years of hardening, determined researchers still find escape hatches in Windows graphics drivers.

The $800,000-plus payout underscores the high value of these bugs on the black market. ZDI’s bounty amounts are intentionally competitive with criminal offers, aiming to divert talent toward defensive research. Based on past cycles, the disclosed bugs likely represent only a fraction of the vulnerabilities silently patched via the coordinated disclosure process.

For enterprise defenders, the message is clear: assume compromise is possible through AI attack surfaces and harden them with the same rigor applied to edge devices and identity systems. Start inventorying AI/GPU dependencies, enforce least privilege, and deploy runtime integrity monitoring on model-serving infrastructure. The attack surface is only growing—but Pwn2Own provides the roadmap for where to focus first.