Pwn2Own Berlin 2026 Day 2: Hackers Earn $385,750 Exploiting 15 Zero-Day Flaws

Welcome to our breakdown of the second day of Pwn2Own Berlin 2026, where top security researchers and ethical hackers competed to uncover critical vulnerabilities in widely used software. The event saw participants walk away with a total of $385,750 in prize money after successfully demonstrating 15 unique zero-day exploits targeting systems like Windows 11 and Red Hat Enterprise Linux, among others. This Q&A format will help you understand the key events, the techniques used, and the broader implications for cybersecurity.

What is Pwn2Own and why is it important?

Pwn2Own is one of the most prestigious ethical hacking competitions in the world, organized by Trend Micro's Zero Day Initiative. It brings together elite security researchers to find and demonstrate zero-day vulnerabilities—flaws unknown to the vendor—in major operating systems, browsers, and enterprise software. The event serves several critical purposes: it encourages responsible disclosure by offering substantial cash rewards; it helps vendors like Microsoft, Red Hat, and Apple improve their products' security; and it showcases the real-world risk of these vulnerabilities before malicious actors can exploit them. Competitors must present working exploits that compromise the target system within strict time limits, proving both the severity and the technical skill involved. Day 2 of Pwn2Own Berlin 2026 was particularly noteworthy for the high number of unique zero-days discovered.

Pwn2Own Berlin 2026 Day 2: Hackers Earn $385,750 Exploiting 15 Zero-Day Flaws

How much money did competitors earn on day 2?

On the second day of Pwn2Own Berlin 2026, participants collectively earned $385,750 in cash prizes. This amount was awarded for successfully exploiting 15 distinct zero-day vulnerabilities across multiple platforms. The prize pool reflects the difficulty and sophistication of the attacks: each successful exploit is judged on its complexity, impact, and the level of access it provides. Some of the larger payouts likely came from full chain exploits that gained kernel-level access or bypassed multiple security layers. The total winnings highlight the value that the industry places on discovering and responsibly reporting such flaws before they can be used in cyberattacks. Day 2's earnings contributed to what is expected to be one of the most lucrative Pwn2Own events in history.

Which products were targeted during day 2?

Competitors focused on a range of high-profile targets, including Windows 11 and Red Hat Enterprise Linux, as well as other unspecified platforms. These systems were chosen because they are widely deployed in enterprise and consumer environments, making them attractive targets for both attackers and defenders. The 15 zero-day vulnerabilities exploited on day 2 likely included remote code execution flaws, privilege escalation bugs, and sandbox escapes. The presence of Red Hat Enterprise Linux in the list is significant, as it indicates that the competition expanded beyond traditional desktop OS to include enterprise servers and cloud workloads. This diversity ensures that the discoveries are relevant to a broad spectrum of organizations.

What exactly is a zero-day vulnerability?

A zero-day vulnerability is a security flaw in software or hardware that is unknown to the vendor and has no patch or fix available. The term “zero-day” refers to the number of days the vendor has had to address the issue—essentially zero. When exploited, a zero-day can allow attackers to install malware, steal data, or take full control of a system without detection. These vulnerabilities are highly prized by cybercriminals, nation-state hackers, and security researchers alike because they represent an unblocked path into a target. In competitions like Pwn2Own, researchers are encouraged to disclose these flaws to the vendor through the Zero Day Initiative, which then works on a patch. The 15 zero-days found on day 2 are now being reported to affected companies for remediation.

How do competitors win prizes at Pwn2Own?

To win a prize at Pwn2Own, competitors must demonstrate a working exploit against a target system within a strict time window—usually 30 minutes. The exploit must achieve a specific level of compromise, such as executing arbitrary code, escalating privileges to administrator or kernel level, or escaping a security sandbox. Each successful exploit is evaluated by judges for reliability, novelty, and impact. Prizes are tiered: simpler exploits might earn tens of thousands of dollars, while advanced chain exploits can fetch over $100,000. On day 2 of Pwn2Own Berlin 2026, the 15 unique zero-days were each awarded a share of the $385,750 total, with higher payouts going to the most impactful demonstrations. Winning also earns researchers recognition in the security community and often leads to invitations to future events.

What happens after a vulnerability is found at Pwn2Own?

Once a vulnerability is successfully demonstrated at Pwn2Own, it is immediately disclosed to the affected vendor through the Zero Day Initiative (ZDI) process. The vendor then has a set period, typically 120 days, to develop and release a security patch. During this time, the details of the exploit are kept confidential to prevent malicious actors from using the information. After the patch is issued, the ZDI publishes a technical analysis to help the community understand the flaw and improve defenses. This responsible disclosure model is a key reason why Pwn2Own is respected: it balances security research with public safety. The 15 zero-days from day 2 are now in the hands of Microsoft, Red Hat, and other vendors, so users should watch for upcoming security updates.

Why is Pwn2Own Berlin 2026 significant for enterprise security?

Pwn2Own Berlin 2026 is significant because it highlights the persistent risks to enterprise environments from zero-day vulnerabilities. The inclusion of Red Hat Enterprise Linux along with Windows 11 shows that attackers (and defenders) are focusing on both desktop and server platforms. For enterprises, this means that no operating system is immune, and regular patching and proactive security measures are essential. The $385,750 awarded on day 2 demonstrates the high stakes: these are not theoretical flaws but real weaknesses that could be weaponized. By funding such competitions, the industry incentivizes early discovery and protects organizations from costly breaches. The event also fosters a culture of collaboration between researchers and vendors, ultimately making software safer for everyone.