Pwn2Own Berlin 2026 featured 47 unique exploits targeting Windows, Linux, VMware, Nvidia, and AI products, with total rewards of approximately $1.3 million. Top payouts included a remote code execution exploit on Microsoft Exchange with system privileges and a VMware ESX cross-tenant code execution exploit. AI product vulnerabilities were also exploited, with rewards ranging from $15,000 to $40,000. The event demonstrated active discovery of significant vulnerabilities across multiple platforms, emphasizing the importance of ongoing security research and vendor patching efforts. Some exploits targeted sandbox escapes and container toolkits. Several attempts failed, and some researchers chose direct vendor disclosure or public exploit release.

The vulnerabilities demonstrated at Pwn2Own Berlin 2026 include remote code execution with system privileges, sandbox escapes, and cross-tenant code execution, which could allow attackers to execute arbitrary code with elevated privileges or escape restricted environments. These vulnerabilities affect widely used enterprise and AI platforms, potentially impacting confidentiality, integrity, and availability if exploited. However, these were demonstrated by white hat hackers under controlled conditions, and there is no indication of active exploitation in the wild at this time.

Patch status is not yet confirmed — check the respective vendors' advisories for current remediation guidance. Vendors typically respond to Pwn2Own disclosures with official fixes. Organizations should monitor vendor updates for patches addressing these specific vulnerabilities. No generic mitigation recommendations are provided as the vulnerabilities span multiple products and exploit types.