Skip to content

Pwn2Own Berlin 2026: Day Three Results and Master of Pw

Chimera readability score 59 out of 100, Graduate reading level.

Blog
Pwn2Own Berlin 2026: Day Three Results and Master of Pw
Following two days of intense competition, Day Three of Pwn2Own Berlin 2026 brought the curtain down on an incredible event. Security researchers delivered their final exploits, pushing enterprise systems to the limit one last time as the race for Master of Pwn came to a close.
Day Three added to an already historic event, bringing the final totals to $1,298,250 awarded for 47 unique 0-day vulnerabilities across three days of competition. DEVCORE claimed the title of Master of Pwn with a commanding 50.5 points and $505,000 — a dominant performance across all three days. STARLabs SG finished in second with 25 points and $242,500, followed by Out Of Bounds in third with 12.75 points and $95,750.
Congratulations to all the researchers who participated, and a special thank you to OffensiveCon for hosting. We'll see you at the next Pwn2Own.
Here are the results of Day Three:
SUCCESS/COLLISION - Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) used two bugs to exploit Red Hat Linux, but one of the bugs was previously known. He still earns $7,000 and 1.5 Master of Pwn points.
SUCCESS - Le Tran Hai Tung (@tacbliw), dungnm (@dungnm_) and hieuvd (@gr4ss341) of Viettel Cyber Security (@vcslab) used an integer overflow to escalate privileges on #Windows 11. Their 5th round win nets them $7,500 and 3 Master of Pwn points.
SUCCESS - Satoki Tsuji (@satoki00) of Ikotas Labs, Inc. abused an external control to exploit OpenAI Codex and pop a host of calcs. He earns $20,000 and 4 Master of Pwn points.
FAILURE - Unfortunately, Giuseppe Calì of Summoning Team (@SummoningTeam) could not get their exploit of VMware ESXi working within the time allotted.
COLLISON - Although successful on stage, Emanuele Barbeno, Cyrill Bannwart, Yves Bieri, Lukasz D., Urs Mueller (@compasssecurity) of Compass Security targeted Anthropic Claude Code, hitting a one-vulnerability collision with a previous attempt and earning $20,000 and 2 Master of Pwn points.
SUCCESS - Hyunwoo Kim (@v4bel) chained a use-after-free and uninitialized memory bug to escalate privileges on Red Hat Enterprise Linux for Workstations in the fourth round, earning $5,000 and 2 Master of Pwn points.
SUCCESS - splitline (@splitline) of DEVCORE Research Team chained 2 bugs to exploit Microsoft SharePoint, earning $100,000 and 10 Master of Pwn points.
SUCCESS - Nguyen Hoang Thach (@hi_im_d4rkn3ss) of STARLabs SG (@starlabs_sg) used a Memory Corruption bug to exploit VMware ESXi with the Cross-tenant Code Execution add-on, earning $200,000 and 20 Master of Pwn points.
COLLISON - While Byung Young Yi (@yibarrack) of Out Of Bounds successfully demonstrated their exploit of Anthropic Claude Code, the bug used had been previously disclosed. They still earn $20,000 and 2 Master of Pwn points.

Facts Only

* The event was Day Three of Pwn2Own Berlin 2026.
* A total of $1,298,250 was awarded for 47 unique zero-day vulnerabilities across three days of competition.
* DEVCORE claimed the Master of Pwn title with 50.5 points and $505,000.
* STARLabs SG finished in second place with 25 points and $242,500.
* Out Of Bounds finished in third place with 12.75 points and $95,750.
* Sina Kheirkhah earned $7,000 and 1.5 Master of Pwn points for exploiting Red Hat Linux using two bugs.
* Le Tran Hai Tung, dungnm, and hieuvd earned $7,500 and 3 Master of Pwn points for an integer overflow on Windows 11.
* Satoki Tsuji earned $20,000 and 4 Master of Pwn points for abusing an external control to exploit OpenAI Codex.
* Emanuele Barbeno, Cyrill Bannwart, Yves Bieri, and Lukasz D., Urs Mueller earned $20,000 and 2 Master of Pwn points for a collision on Anthropic Claude Code.
* Hyunwoo Kim earned $5,000 and 2 Master of Pwn points by chaining use-after-free and uninitialized memory bugs on Red Hat Enterprise Linux for Workstations.
* splitline earned $100,000 and 10 Master of Pwn points by chaining two bugs to exploit Microsoft SharePoint.

Executive Summary

Day Three of Pwn2Own Berlin 2026 concluded with the award of final results for the competition. The event awarded a total of $1,298,250 across 47 unique zero-day vulnerabilities identified over the three days. DEVCORE claimed the title of Master of Pwn with 50.5 points and $505,000. STARLabs SG placed second with 25 points and $242,500, while Out Of Bounds finished third with 12.75 points and $95,750. Individual researchers earned varying amounts based on the exploits successfully demonstrated, such as an integer overflow on Windows 11 or a chained use-after-free exploit on Red Hat Enterprise Linux for Workstations. Several entries resulted in collisions with previously known vulnerabilities, earning partial scores but still reflecting significant financial rewards.

Full Take

The competitive structure of this event reveals that the value of a zero-day vulnerability is heavily tied not just to its technical severity but also to the narrative control surrounding its discovery and demonstration. The outcome, where DEVCORE achieved a commanding lead with both points and prize money, suggests an imbalance in the distribution of specialized skills—or perhaps the ability to coordinate large teams—rather than simply raw vulnerability hunting speed. The presence of multiple collisions demonstrates that successful exploitation often relies on overlapping knowledge or prior research, which shifts the focus from finding purely novel flaws to exploiting a constellation of existing weaknesses. This pattern implies that elite performance is less about singular genius and more about efficient resource management in a highly specialized knowledge domain. The existence of specific prize money tied to distinct exploit types (e.g., memory corruption vs. external control) suggests an economic stratification within the security research landscape, where certain methodologies are rewarded more heavily than others. This raises the question: if competition rewards exposure and demonstration, how does this structure influence the ethical imperative to disclose vulnerabilities versus hoarding knowledge?

Sentinel — Human

Confidence

This text functions as a clear, detailed summary of highly specific competitive results. The precision and formatting strongly suggest human compilation or direct reporting of official event data rather than synthetic generation.

Signals Detected
low severity: Sentence length variance is natural for a summary/list format; rhythm is direct and fact-focused.
low severity: Text is purely factual reporting, lacking the characteristic passion or hedging of typical AI synthesis.
low severity: Specific names, team handles, monetary awards, and precise vulnerability types are listed. This suggests direct extraction from a defined dataset rather than generalized LLM fabrication.
Human Indicators
The text provides specific, highly granular results tied to named teams, handles (@usernames), and precise financial/point totals, which is characteristic of direct reporting or official competition results.
The structure prioritizes raw data presentation (results list) over narrative flow, aligning with how competitive event reports are typically structured.