Published Tuesday, June 23, 2026 at 01:10 AM PT

BREAKING: Pwn2Own Berlin 2026 โ€” Day Two Continued Results Published; Multiple Zero-Days Demonstrated Live

BLUF: Zero Day Initiative has published continued Day Two results from Pwn2Own Berlin 2026, confirming additional successful exploit demonstrations against enterprise targets. Organizations running affected products should monitor ZDI advisories immediately for patch availability and mitigation guidance.

DETAILS

  • ZDI has released updated Day Two results for Pwn2Own Berlin 2026, including a revised Master of Pwn leaderboard reflecting additional successful exploitation attempts. Specific targets and vulnerability classes from this session have not been confirmed in the source data provided โ€” full technical details are pending ZDI’s official write-up.
  • Pwn2Own Berlin 2026 follows the standard ZDI contest format: all demonstrated vulnerabilities are zero-days at time of exploitation, with details embargoed and vendors notified immediately following successful attempts.
  • Affected vendors are notified by ZDI upon successful demonstration per responsible disclosure policy; vendors typically have 90 days to issue patches before public disclosure.
  • Specific products successfully exploited in this session are not confirmed in available source material. Do not assume scope based on prior Pwn2Own events.
  • Contest results indicate competitive participation with a populated leaderboard, suggesting multiple successful exploitation chains were demonstrated across Day Two.

IMPACT

  • Who is affected: Organizations running enterprise software, browsers, virtualization platforms, and operating systems historically targeted at Pwn2Own โ€” scope for Berlin 2026 specifically is unconfirmed pending full ZDI disclosure.
  • Severity: Zero-days demonstrated at Pwn2Own are confirmed exploitable by skilled researchers under controlled conditions. Real-world weaponization risk varies; no in-the-wild exploitation of these specific vulnerabilities has been reported at this time.
  • Patch status: Patches are not expected to be immediately available. ZDI’s 90-day disclosure window applies.
  1. Monitor ZDI’s blog and advisory feed (zerodayinitiative.com) for full Day Two technical summaries and affected product identification as they are published.
  2. Identify your exposure to product categories historically targeted at Pwn2Own Berlin (browsers, hypervisors, OS kernels, enterprise applications) and review existing compensating controls.
  3. Do not wait for patches โ€” apply defense-in-depth measures including network segmentation, privilege restriction, and endpoint detection tuning for affected product categories once confirmed.
  4. Track vendor security bulletins for any out-of-band emergency patches that may follow contest disclosure.

SOURCES

  • Zero Day Initiative โ€” Pwn2Own Berlin 2026 Day Two Results (cont): zerodayinitiative.com
  • ZDI Pwn2Own Berlin 2026 Announcement (Zero Day Initiative)

โš ๏ธ UNCERTAINTY FLAG: Specific exploited products, vulnerability classes, prize amounts, and team names from Day Two (cont) are not confirmed in available source data. This alert will require update once ZDI publishes full technical results. Do not redistribute with assumed specifics.