Zero‑Day Flaws Disclosed at Pwn2Own Berlin 2026 Reveal 47 Critical Vulnerabilities Across Enterprise Tech
What Happened – Researchers at the Pwn2Own Berlin 2026 contest uncovered 47 zero‑day vulnerabilities in fully‑patched enterprise products, earning a total of $1,298,250 in rewards. The flaws spanned browsers, Microsoft 365 services, Windows 11, Red Hat Enterprise Linux, VMware ESXi, container runtimes, and emerging AI‑coding agents.
Why It Matters for TPRM –
- Zero‑days indicate that vendors’ products can be compromised before patches are publicly available, creating a window of exposure for downstream customers.
- The breadth of affected technologies (OS, browsers, cloud‑native containers, AI tools) maps directly to common third‑party services used by many organizations.
- Vendors have a 90‑day remediation window after the contest; organizations must verify that patches are applied promptly to avoid supply‑chain risk.
Who Is Affected – Enterprises relying on Microsoft SharePoint, Exchange, Edge, Windows 11, Red Hat Enterprise Linux, VMware ESXi, container platforms, and AI‑assisted development tools.
Recommended Actions –
- Review contracts and security clauses for any of the above vendors.
- Confirm that the 90‑day patch window has been met; request evidence of remediation.
- Update vulnerability management programs to include rapid testing of disclosed zero‑days.
- Re‑assess risk scores for services that were shown exploitable in the contest.
Technical Notes – The contest demonstrated remote code execution on Microsoft Exchange (chain of three bugs), sandbox escape in Microsoft Edge (four logic bugs), privilege escalation on Windows 11 and Red Hat Enterprise Linux, and memory‑corruption exploitation of VMware ESXi. No CVE numbers were assigned at the time of reporting; disclosures will be published through TrendMicro’s Zero Day Initiative after the 90‑day vendor window. Source: BleepingComputer