Pwn2Own Berlin 2026: 2nd Place

Pwn2Own is a computer hacking contest held annually by Trend Micro’s Zero Day Initiative - ZDI. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The total prize for each contest is up to millions of dollars.

The 2026 edition of Pwn2Own (Pwn2Own Berlin) was held from 14th May to 16th May 2026 in Berlin, Germany.

Our researchers came in 2nd place overall at Pwn2Own Berlin 2026.

Day One — 14th May 2026

Billy Jheng Bing-Jhong, Bruce Chen, Pan Zhenpeng and Shi Weiming successfully chained 5 bugs including SSRF and Code Injection to exploit LM Studio.

Day Two — 15th May 2026

Billy Jheng Bing-Jhong, Bruce Chen, Pan Zhenpeng and Shi Weiming successfully exploited NVIDIA Megatron Bridge.

Day Three — 16th May 2026

Nguyễn Hoàng Thạch used a Memory Corruption bug to successfully exploit VMware ESXi with the Cross-tenant Code Execution add-on.

References

• ZDI blog: Pwn2Own Berlin 2026 announcement
• ZDI blog: Day One results
• ZDI blog: Day Two results
• ZDI blog: Day Three results and Master of Pwn