When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Windows 11, Microsoft Edge, and Exchange hacked at Pwn2Own

Ethical hackers cracked Windows 11, Exchange, Edge, and AI tools at Pwn2Own 2026, earning nearly $1 million in two days.

Neowin · with 17 comments

windows 11 logo in red

Some of you may know about Pwn2Own, a hacking contest organized twice a year by Zero Day Initiative (ZDI), challenging ethical hackers to find 0-day exploits in popular products within the allotted time, with huge crash prizes on offer. In the past, we have seen Windows 11, Teams, iOS 11.1, and more being breached by white-hat hackers, and the ongoing Pwn2Own 2026 event is no different.

On day two of the three-day event, contestant Siyeon Wi was able to leverage an integer overflow bug in Windows 11 to perform a privilege escalation attack and bagged $7,500 in prize money. Similarly, Orange Tsai of the DEVCORE Research Team chained three bugs in a complex attack to gain SYSTEM privileges that allowed them to trigger remote code execution (RCE) in Microsoft Exchange. They earned $200,000.

Lots of AI tools were successfully breached, including Ollama, LM Studio, Claude Desktop, Cursor, OpenAI Codex, and more. There were unsuccessful attempts on day two too. For example, the contestants were unable to exploit Microsoft SharePoint and Apple Safari within the given timeframe. In total, $385,750 was awarded on the second day for the discovery of 15 unique 0-days.

Previously, day one saw Windows 11 being exploited multiple times through an "Improper Access Control" issue, heap-based buffer overflow, and Use-After-Free (UAF) bugs. Tsai also managed to chain four logic bugs in Edge and perform a sandbox escape, winning $175,000. On this first day, $523,000 was awarded for the discovery of 24 0-day exploits, bringing the two-day grand total to $908,750 and 39 exploits.

Overall, these types of events are quite decent as they allow people to safely practice ethical hacking skills while also incentivizing them for their work. In return, vendors of software and hardware products have the opportunity to improve their security mechanisms, downstreaming the benefits to regular consumers too. The discovered 0-day exploits are validated on-site by representatives of vendors and ZDI, after which the contestant privately reverse-engineers the attack for the judges. As the main sponsor of the event, ZDI offers the majority of the cash prizes to the winners. It will be exciting to see what other technical feats will be accomplished on day three of Pwn2Own 2026 in Berlin tomorrow.

Windows 11 Dev Channel update
Next Article

Windows 11 finally gets vertical and small taskbar in new update

The Mac Studio running Windows 11 through VMWare Fusion
Previous Article

VMware Fusion Pro 26H1 released with support for more guest OSes

17 Comments

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here