Pwn2Own 2026 Capacity Overflow, Hackers Drop 0-Days Solo
Pwn2Own Berlin 2026 hit a hard submission cap for the first time in 19 years. Rejected researchers are now publishing working zero-days directly, breaking the contest's secrecy norms.
6 min read
The bottleneck this year is not compute or training data. It is the Zero Day Initiative's capacity to process zero-day submissions for Pwn2Own Berlin 2026, which kicks off May 14 with 31 targets, $1M+ in prizes, and a four-category AI track that explicitly includes coding agents like Claude, GitHub Copilot, and Cursor. Researchers report that for the first time in the contest's 19-year history, ZDI told dozens of submitters their working zero-day RCE chains could not be accepted because the contest had run out of slots. Rejected researchers are now going public with their exploits directly.
TL;DR
- Pwn2Own Berlin 2026 ran out of contest slots before registration closed on May 7, with ZDI confirming "maximum capacity" privately to applicants
- Community-tracked count of rejected researchers exceeds 150, with confirmed names dropping full RCE chains in Firefox, Ollama, LM Studio, PyTorch, Linux KVM, NVIDIA, Docker, and Claude Code
- xchglabs alone prepared 86 vulnerabilities across the AI stack; all rejected, all now being disclosed directly to vendors with public writeups
- The event still runs May 14-16 in Berlin with $1M in announced prizes - but the parallel public-disclosure wave is already underway
- Structural signal: AI-assisted vulnerability research is now generating working exploits faster than the institutions built to triage and reward them can keep up
The Capacity, the Demand, and the Gap
Pwn2Own announced 10 categories and 31 official targets for the 2026 Berlin event, with four of those categories dedicated to AI: AI databases (vector stores), coding agents (Claude, Copilot, Cursor), local inference (Ollama, LM Studio), and NVIDIA (CUDA Toolkit, NV Container Toolkit, Megatron Bridge). Total prize pool: more than $1,000,000, up from $1,078,750 paid out at Berlin 2025.
The capacity is finite. Pwn2Own runs as a live contest with a fixed schedule, fixed attempt slots, and a finite ZDI staff to vet, verify, and pay each working exploit chain. The demand this year, per researchers tracking the rejections publicly, looked nothing like 2025.
| Metric | Pwn2Own Berlin 2025 | Pwn2Own Berlin 2026 |
|---|---|---|
| Categories | 8 | 10 (4 new AI) |
| Official targets | ~28 | 31 |
| Prize pool | $1.078M paid | $1M+ announced |
| Estimated registrants | typical (~30-60) | 150+ (community-tracked) |
| Submissions rejected for capacity | 0 | dozens (community-confirmed) |
| Public-disclosure parallel track | none | active (handful confirmed) |
The contest format does not have a "spill-over" mechanism for accepted-but-overflow research. A vulnerability either gets a slot at Pwn2Own, gets paid, and goes to the affected vendor under the standard disclosure clock, or it does not get a slot at all - and the researcher is left holding a working chain with no contest payout.
Where the Constraint Physically Lives
ZDI is a single program inside Trend Micro that has to do the following work per accepted submission: triage the writeup, validate the chain in their lab (often requiring the exact target hardware/software stack), schedule a live attempt window during the contest days, observe and confirm the exploit chain runs on stage, pay the bounty, then forward the disclosure to the affected vendor under embargo. That work has a wall-clock floor per submission. Even with more staff, contest days do not stretch.
The 2026 event is three days (May 14-16) at OffensiveCon in Berlin. According to one researcher who tried to register, ZDI confirmed they were "at maximum capacity" and "can't add extra contest days." That researcher considered cancelling flight and hotel. The contest is, in engineering terms, schedule-bound.
Each rejected submission represents a working exploit chain the contest physically could not host on stage.
Source: unsplash.com
Who Gets Squeezed
Researchers with working chains
The most public examples in the rejected pool, per a community thread tracking the situation on X:
- xchglabs - 86 vulnerabilities prepared across PyTorch, NVIDIA, Linux KVM, Oracle, Docker, Ollama, Chroma, LiteLLM, and llama.cpp. All rejected. Now reporting directly to each vendor, with public writeups timed to land as each patch ships.
- ggwhyp - full-chain Firefox RCE on Windows. Rejected. Publicly demoed via an HTML proof-of-concept page that pops cmd.exe to calc.exe. Responsible disclosure to Mozilla in parallel.
- yunsu_dev - working RCE chain (target not publicly named). Rejected. Submitting through alternative bug-bounty channels.
- ryotkak - tried to register for three-plus weeks. ZDI confirmed maximum capacity. Considered cancelling travel.
- anzuukino2802 - Claude Code RCE proof-of-concept. Rejected.
- desckimh - zero-day RCEs in Ollama and LM Studio. Rejected.
Accepted contestants
The people who got slots are not insulated. Rejected vulnerabilities that go to bug-bounty programs (HackerOne, Bugcrowd, internal vendor PSIRT) can trigger silent vendor patches before May 14. If the patch ships before the contest day, the accepted contestant's exploit is invalidated on stage, the team gets paid nothing for that target, and weeks of work evaporate. Multiple accepted teams are reportedly being warned about collision risk for shared targets.
Affected vendors
Mozilla, NVIDIA, the PyTorch maintainers, Oracle, Docker, Anthropic, Ollama, LM Studio - all are now receiving direct disclosure of working chains they would normally have learned about through the orderly ZDI pipeline. The "revenge disclosure" framing the researchers themselves are using is partly performative, but the practical effect is the same: vendors get the bug, the public gets the writeup, and the contest's traditional secrecy norm is broken before the contest opens.
What Breaks First
The AI-target categories are where the structural pressure shows. Coding agents and local-inference stacks have very young attack surfaces - LiteLLM, llama.cpp, Ollama, vLLM, Chroma, Triton - that ship rapidly, have shallow security review depth, and now host more compute traffic than any prior open-source category at this maturity level. Researchers using AI tools to assist with vulnerability discovery are finding chains faster than they were a year ago. A recent Palisade Research report on AI agents autonomously executing the full exploit chain suggests this acceleration is structural, not anecdotal.
For the contest, the next visible failure modes:
- Some accepted attempts will fizzle on May 14-16 when their target has already been silently patched via the parallel disclosure wave.
- Some rejected researchers will sell exploits to private brokers rather than going public, increasing tail risk for affected vendors.
- ZDI's reputation as the orderly clearinghouse for high-value zero-days takes a credibility hit it has not had to manage in 19 years.
"We're rapidly approaching the point where no one would be able to shut down a rogue AI, because it would be able to self-exfiltrate its weights and copy itself to thousands of computers around the world." - Jeffrey Ladish, Palisade Research, on the broader capability trajectory that maps directly onto what's happening at Pwn2Own.
ZDI has not publicly addressed the capacity issue. The official rules page still shows registration closed May 7 and the event still running May 14-16. The contest will proceed - but the parallel public-disclosure wave is already underway.
What relieves this bottleneck takes longer than this contest cycle. A wider Pwn2Own (more days, more staff, more parallel tracks) is the obvious answer but is logistically constrained by venue and vendor coordination. The faster fix is more contests, more often - splitting AI targets into their own dedicated event, or shifting some of the overflow into year-round disclosure programs with comparable bounties. The current pattern - one annual flagship event throttling a now-multiplied research community - is the configuration that just broke.
Sources:
