Zero‑Day Exploits Uncovered at Pwn2Own Berlin 2026: Microsoft Exchange RCE, Windows 11 Privilege Escalation, Red Hat Linux Bugs and AI‑Model Collisions
What Happened – Researchers demonstrated 15 new zero‑day vulnerabilities on Day 2 of Pwn2Own Berlin 2026, earning $385,750. Highlights include a chained‑bug remote‑code‑execution (RCE) chain that gives SYSTEM on Microsoft Exchange, an integer‑overflow privilege‑escalation on Windows 11, and a use‑after‑free escalation on Red Hat Enterprise Linux Workstations.
Why It Matters for TPRM –
- Critical infrastructure software (email, OS, server OS) is shown to contain exploitable flaws even when fully patched.
- Zero‑days often translate into rapid weaponisation; vendors must demonstrate robust vulnerability‑management and patch‑deployment processes.
- AI‑model attack surface (LiteLLM) is gaining attention, expanding the scope of third‑party risk beyond traditional binaries.
Who Is Affected – Enterprises that rely on Microsoft Exchange for email, Windows 11 workstations, Red Hat Enterprise Linux servers, and SaaS providers integrating LiteLLM or similar AI models.
Recommended Actions –
- Review your vendor’s zero‑day disclosure and remediation policies for Exchange, Windows, and Linux stacks.
- Verify that patch‑management timelines meet or exceed industry best‑practice (e.g., within 30 days of CVE publication).
- Conduct additional security assessments on AI‑model integrations and enforce strict code‑review / sandboxing.
Technical Notes –
- Microsoft Exchange: three‑bug chain (sandbox escape → privilege escalation → SYSTEM RCE).
- Windows 11: integer overflow in kernel driver leading to local privilege escalation.
- Red Hat Enterprise Linux: use‑after‑free in the kernel’s memory manager.
- LiteLLM: collision exploit demonstrating the feasibility of attacking large language‑model APIs.
- No public CVE identifiers released at time of reporting; expect coordinated disclosures in the coming weeks.
Source: Security Affairs