Windows 11 and Microsoft Edge Hacked at Pwn2Own Berlin 2026

Pwn2Own Berlin 2026, the flagship hacking contest at OffensiveCon, has become a barometer for the security health of today’s most critical software. By rewarding researchers who break into fully patched products, the event forces vendors to confront real‑world attack techniques rather than theoretical vulnerabilities. This year’s Day 1 payouts topped $523,000, with 24 distinct zero‑days uncovered across browsers, operating systems, container runtimes, and large‑language‑model (LLM) interfaces, underscoring the breadth of modern attack surfaces.

The most headline‑grabbing exploits involved Microsoft’s flagship offerings. Orange Tsai’s $175,000 Edge win demonstrated that even sandboxed browsers can be compromised through chained logic bugs, while three separate teams each earned $30,000 for novel privilege‑escalation routes in Windows 11. Parallel successes against Red Hat Linux workstations, NVIDIA’s Container Toolkit, and AI services such as OpenAI’s Codex and Anthropic’s Claude Code reveal that the traditional perimeter is eroding; attackers now target the compute kernels that power generative‑AI workloads. Vendors have a strict 90‑day window to release patches, a timeline that pressures development cycles and highlights the importance of coordinated disclosure.

For enterprises, the contest’s outcomes serve as an early warning system. The disclosed flaws illustrate that even up‑to‑date environments can harbor exploitable bugs, especially when AI inference engines are integrated into production pipelines. Organizations should accelerate their vulnerability‑management programs, adopt zero‑trust architectures, and consider continuous monitoring of AI model endpoints. Meanwhile, the security community benefits from the public disclosure of these zero‑days, which fuels defensive research and improves the overall resilience of the software supply chain. The escalating cash prizes—potentially exceeding $1 million for a single event—signal that the industry values proactive discovery and will continue to invest heavily in bug‑bounty ecosystems.