Full Report
During the second day of Pwn2Own Berlin 2026, competitors collected $385,750 in cash awards after exploiting 15 unique zero-day vulnerabilities in multiple products, including Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations. [...]
Analysis Summary
# Vulnerability: Multiple Zero-Day Exploits at Pwn2Own Berlin 2026 (Day 2)
## CVE Details
*Note: Specific CVE IDs are typically assigned by vendors after the 90-day disclosure period. At the time of this report, these are unpatched zero-day vulnerabilities.*
- **CVE ID:** Pending (Zero-day)
- **CVSS Score:** N/A (Estimated Critical/High)
- **CWE:**
- Integer Overflow (Windows 11)
- Use-After-Free (NVIDIA Container Toolkit)
- Logic Flaws (Microsoft Edge/Exchange)
## Affected Systems
- **Products:**
- Microsoft Exchange Server
- Microsoft Windows 11
- Red Hat Enterprise Linux (RHEL) for Workstations
- NVIDIA Container Toolkit
- Cursor AI coding agent
- OpenAI Codex
- **Versions:** All products were confirmed to be "fully patched" at the time of the event (May 2026).
- **Configurations:** Default enterprise installations.
## Vulnerability Description
During Day 2 of Pwn2Own Berlin 2026, researchers demonstrated several critical flaws:
- **Microsoft Exchange:** A chain of three unique vulnerabilities allowed for Remote Code Execution (RCE) with SYSTEM privileges.
- **Windows 11:**
- An integer overflow bug leading to privilege escalation.
- Multiple local privilege escalation (LPE) vulnerabilities.
- **NVIDIA Container Toolkit:** A use-after-free (UAF) vulnerability allowing for container escape or elevated access.
- **AI Agents:** Various zero-day flaws were demoed in Cursor and OpenAI Codex, focusing on compromising coding environments.
## Exploitation
- **Status:** PoC demonstrated by researchers; currently zero-day (unpatched).
- **Complexity:** High (Requires chaining multiple bugs or specialized technical knowledge).
- **Attack Vector:**
- **Network:** Microsoft Exchange (RCE).
- **Local:** Windows 11 and RHEL (Privilege Escalation).
- **Adjacent/Cloud:** NVIDIA Container Toolkit (Escape).
## Impact
- **Confidentiality:** High (Total system access / Remote Code Execution).
- **Integrity:** High (Ability to modify SYSTEM files or escalate to root).
- **Availability:** High (Potential for full system takeover).
## Remediation
### Patches
- **Status:** No patches are currently available.
- **Timeline:** Per Pwn2Own rules, vendors have **90 days** from May 15, 2026, to release official security updates before technical details are publicly disclosed.
### Workarounds
- **General:** Enforce the Principle of Least Privilege (PoLP) to limit the impact of LPE bugs.
- **Exchange:** Ensure Exchange servers are behind a VPN or robust firewall and utilize MFA to restrict unauthorized access to management interfaces.
- **Linux:** Monitor for unusual privilege escalation attempts via auditd or similar kernel monitoring tools.
## Detection
- **Indicators of Compromise:** Monitor for unexpected SYSTEM process spawning from Exchange (iisproxy.exe or w3wp.exe).
- **Detection methods:** Use Endpoint Detection and Response (EDR) tools to flag unusual memory allocation patterns (indicative of integer overflows or UAF exploits).
## References
- Trend Micro Zero Day Initiative - Day 2 Results: hxxps://www[.]zerodayinitiative[.]com/blog/2026/5/15/pwn2own-berlin-2026-day-two-results
- Pwn2Own Berlin 2026 Rules: hxxps://www[.]zerodayinitiative[.]com/Pwn2OwnBerlin2026Rules[.]html
- BleepingComputer Reporting: hxxps://www[.]bleepingcomputer[.]com/news/security/pwn2own-day-two-hackers-demo-microsoft-exchange-windows-11-red-had-enterprise-linux-zero-days/