Back to Intelligence

Pwn2Own Berlin 2026: 47 Zero-Days Disclosed — Defense Strategy and Zero-Day Readiness Guide

SA
Security Arsenal Team
May 18, 2026
9 min read

Introduction

The Pwn2Own Berlin 2026 hacking contest has concluded with alarming implications for enterprise security: researchers successfully demonstrated 47 distinct zero-day vulnerabilities across multiple product categories, earning $1,298,250 in rewards. These vulnerabilities were previously unknown to vendors and remain unpatched as of this disclosure.

For security practitioners, this isn't just news—it's an urgent call to action. Zero-days demonstrated at Pwn2Own have a documented history of appearing in active exploitation campaigns within weeks of disclosure. The 2025 contest saw multiple exploited vulnerabilities subsequently weaponized by threat actors. With 47 new attack surfaces exposed, organizations without robust zero-day readiness programs are operating with exposed vulnerabilities that sophisticated adversaries are actively researching.

Technical Analysis

Scope and Impact

While specific CVE identifiers have not yet been assigned by vendors (standard procedure for coordinated disclosure), the 47 zero-days span critical infrastructure components including:

  • Enterprise Browsers: Chromium and WebKit-based browsers demonstrating sandbox escapes
  • Operating System Components: Local privilege escalation (LPE) chains in major desktop and mobile platforms
  • Virtualization Infrastructure: Hypervisor escape capabilities affecting cloud deployments
  • Enterprise Collaboration Platforms: Remote code execution in communication software
  • Network Infrastructure: Routers and VPN appliances with pre-authentication RCE

Attack Mechanics

The demonstrated vulnerabilities follow consistent exploitation patterns that defenders should understand:

  1. Initial Vectors: Primarily browser-based exploitation through weaponized rendering engine flaws, combined with carefully crafted JavaScript to bypass ASLR/DEP mitigations

  2. Sandbox Escapes: Logical vulnerabilities in inter-process communication (IPC) mechanisms allowing breakout from browser or application sandboxes

  3. Privilege Escalation: Kernel-mode memory corruption exploiting race conditions in driver components, often requiring user interaction or specific system states

  4. Exploitation Requirements: Many demonstrated exploits require user interaction (malicious site visit) or specific application states, making social engineering a critical delivery vector

Exploitation Status

  • In-the-Wild Status: No confirmed active exploitation YET (standard disclosure window)
  • PoC Availability: Exploit code is held by ZDI under responsible disclosure; technical details typically released 90-120 days post-event
  • CISA KEV Status: Not yet added (expected pending vendor patch availability)
  • Weaponization Risk: HIGH—historical precedent shows 60-70% of Pwn2Own zero-days appear in criminal exploit kits within 90 days of public technical details

Detection & Response

Given the lack of specific CVEs, detection efforts must focus on identifying exploitation techniques rather than specific vulnerability signatures. The following detection targets common exploitation patterns demonstrated in recent Pwn2Own contests.

YAML
---
title: Suspicious Process Injection via VirtualAlloc Remote
id: 8a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
description: Detects potential exploit kit behavior using VirtualAlloc with remote process injection, common in browser-based zero-day exploitation chains
references:
  - https://attack.mitre.org/techniques/T1055/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.defense_evasion
  - attack.t1055.002
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\wscript.exe'
      - '\cscript.exe'
    ParentImage|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
      - '\opera.exe'
      - '\brave.exe'
  injection:
    CommandLine|contains:
      - 'VirtualAlloc'
      - 'WriteProcessMemory'
      - 'CreateRemoteThread'
      - 'OpenProcess'
  condition: selection and injection
falsepositives:
  - Legitimate browser automation or testing frameworks
level: high
---
title: Browser Process Abnormal Child Process Spawn
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects browser processes spawning unexpected child processes, a common indicator of successful sandbox escape or browser exploit
references:
  - https://attack.mitre.org/techniques/T1204/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1204
  - attack.execution
  - attack.t1204.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
      - '\opera.exe'
      - '\brave.exe'
  filter_legit:
    Image|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
      - '\opera.exe'
      - '\brave.exe'
      - '\utility_process.exe'
      - '\renderer_process.exe'
      - '\gpu_process.exe'
      - '\browser_broker.exe'
  filter_system:
    Image|contains:
      - '\System32\'
      - '\SysWOW64\'
  condition: selection and not filter_legit and not filter_system
falsepositives:
  - Legitimate browser extensions spawning helper processes
  - User-initiated downloads executing installers
level: medium
---
title: Suspicious Kernel Mode Driver Load from Untrusted Path
id: 2c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects loading of unsigned kernel drivers from unusual paths, potential indicator of privilege escalation exploit post-sandbox escape
references:
  - https://attack.mitre.org/techniques/T1547/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.persistence
  - attack.t1547.006
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: driver_load
  product: windows
detection:
  selection:
    SignatureStatus: 'Unsigned'
  filter_paths:
    ImageLoaded|contains:
      - '\System32\drivers\'
      - '\SysWOW64\drivers\'
      - '\Program Files\'
      - '\Program Files (x86)\'
  condition: selection and not filter_paths
falsepositives:
  - Legitimate beta/test drivers from trusted vendors
  - Virtualization platform guest drivers
level: critical

KQL for Microsoft Sentinel / Defender

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious browser process spawning patterns indicative of zero-day exploitation
let BrowserProcesses = dynamic(["chrome.exe", "firefox.exe", "msedge.exe", "opera.exe", "brave.exe", "safari.exe"]);
let SuspiciousChildren = dynamic(["powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe"]);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ BrowserProcesses
| where FileName in~ SuspiciousChildren
| extend FullCommandLine = iff(isempty(CommandLine), ProcessCommandLine, CommandLine)
| where FullCommandLine !contains "--utility-parent" 
      and FullCommandLine !contains "--type=" 
      and FullCommandLine !contains "--log-file"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessId, 
          FileName, ProcessId, FullCommandLine, SHA256, FolderPath
| order by Timestamp desc


// Detect potential memory corruption indicators from unexpected process access patterns
let HighRiskAccess = dynamic(["PROCESS_VM_WRITE", "PROCESS_VM_OPERATION", "PROCESS_CREATE_THREAD"]);
DeviceProcessEvents
| where Timestamp > ago(3d)
| where ActionType has "Process Access"
| where RequestedAccess in~ HighRiskAccess
| where InitiatingProcessFileName !in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "wininit.exe")
| where TargetProcessFileName in~ ("chrome.exe", "firefox.exe", "msedge.exe", "explorer.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName,
          TargetProcessFileName, TargetProcessAccountName, RequestedAccess
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious memory injection indicators across endpoint processes
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime, 
       parse_string(data=CommandLine, regex='.*--type=(?P<Type>\w+).*').Type as ProcessType
FROM pslist()
WHERE Name =~ "chrome|firefox|msedge|opera|brave"
  AND NOT ProcessType =~ "renderer|gpu|utility|broker"
  AND CommandLine !~ "--log-file|--extension-process"

-- Investigate suspicious module loads in browser processes
SELECT Name, Pid, Username, ModPath, ModSize, ModTime
FROM process_modules(module_glob="*.dll")
WHERE Name =~ "chrome|firefox|msedge|opera|brave"
  AND (ModPath NOT =~ "Program Files|System32|Windows"
       OR ModPath =~ "\\AppData\\Local\\Temp|\\Downloads")

-- Check for unexpected child processes spawned by browsers
SELECT Parent.Name as ParentProcess, Parent.Pid as ParentPid,
       Child.Name as ChildProcess, Child.Pid as ChildPid,
       Child.CommandLine, Child.Username
FROM chain(parent_pslist=pslist(), child_pslist=pslist())
WHERE Parent.Name =~ "chrome|firefox|msedge|opera|brave"
  AND Child.Name !~ Parent.Name
  AND Child.Name !~ "conhost"

Remediation Script (PowerShell)

PowerShell
# Zero-Day Readiness Assessment and Hardening Script
# Version 1.0 - Pwn2Own Berlin 2026 Response

Write-Host "[+] Starting Zero-Day Readiness Assessment..." -ForegroundColor Cyan

# 1. Check Windows Exploit Protection status
Write-Host "\n[*] Checking Windows Exploit Protection Configuration..." -ForegroundColor Yellow
try {
    $ExploitProtection = Get-ProcessMitigation -System
    $CriticalMitigations = @("ASLR", "DEP", "CFG", "SEHOP")
    foreach ($mitigation in $CriticalMitigations) {
        $status = ($ExploitProtection | Where-Object {$_.Name -eq $mitigation}).Value
        Write-Host "  [-] $mitigation : $status" -ForegroundColor $(if($status -eq "ON"){"Green"}else{"Red"})
    }
} catch {
    Write-Host "  [!] Unable to retrieve exploit protection status" -ForegroundColor Red
}

# 2. Verify browser security configurations
Write-Host "\n[*] Checking Browser Security Hardening..." -ForegroundColor Yellow
$Browsers = @{
    "Chrome" = "HKLM:\SOFTWARE\Policies\Google\Chrome"
    "Firefox" = "HKLM:\SOFTWARE\Policies\Mozilla\Firefox"
    "Edge" = "HKLM:\SOFTWARE\Policies\Microsoft\Edge"
}

foreach ($browser in $Browsers.GetEnumerator()) {
    if (Test-Path $browser.Value) {
        Write-Host "  [+] $($browser.Key) policies found" -ForegroundColor Green
        $policies = Get-ItemProperty $browser.Value
        if ($policies) {
            $policies.PSObject.Properties | Where-Object {$_.Name -match "Block|Extension|Plugin"} | 
            ForEach-Object { Write-Host "    - $($_.Name): $($_.Value)" }
        }
    } else {
        Write-Host "  [!] $($browser.Key) policy path not found - recommend hardening policies" -ForegroundColor Red
    }
}

# 3. Check for outdated or vulnerable browser versions
Write-Host "\n[*] Checking for outdated browser versions..." -ForegroundColor Yellow
$BrowserPaths = @(
    ${env:ProgramFiles}\Google\Chrome\Application\chrome.exe,
    ${env:ProgramFiles(x86)}\Google\Chrome\Application\chrome.exe,
    ${env:ProgramFiles}\Microsoft\Edge\Application\msedge.exe,
    ${env:ProgramFiles}\Mozilla Firefox\firefox.exe
)

foreach ($path in $BrowserPaths) {
    if (Test-Path $path) {
        $version = (Get-Item $path).VersionInfo.FileVersion
        $name = (Get-Item $path).BaseName
        $fileTime = (Get-Item $path).LastWriteTime
        $daysOld = (New-TimeSpan -Start $fileTime -End (Get-Date)).Days
        Write-Host "  [-] $name : $version (Updated $daysOld days ago)" -ForegroundColor $(if($daysOld -lt 14){"Green"}else{"Yellow"})
    }
}

# 4. Verify critical security services status
Write-Host "\n[*] Verifying Critical Security Services Status..." -ForegroundColor Yellow
$CriticalServices = @("WinDefend", "wuauserv", "EventLog", "Schedule")
foreach ($service in $CriticalServices) {
    $svc = Get-Service -Name $service -ErrorAction SilentlyContinue
    if ($svc) {
        Write-Host "  [-] $($svc.Name): $($svc.Status) (StartType: $($svc.StartType))" -ForegroundColor 
            $(if($svc.Status -eq "Running" -and $svc.StartType -ne "Disabled"){"Green"}else{"Red"})
    }
}

# 5. Output remediation recommendations
Write-Host "\n[+] Zero-Day Readiness Recommendations:" -ForegroundColor Cyan
Write-Host "  1. Enable all exploit protection mitigations (ASLR, DEP, CFG)" -ForegroundColor White
Write-Host "  2. Deploy browser hardening policies via GPO/Intune" -ForegroundColor White
Write-Host "  3. Force browser updates to auto-install within 24 hours" -ForegroundColor White
Write-Host "  4. Implement application allowlisting for browser child processes" -ForegroundColor White
Write-Host "  5. Enable Microsoft Defender Exploit Guard Attack Surface Reduction" -ForegroundColor White
Write-Host "  6. Subscribe to ZDI advisories for patch notifications" -ForegroundColor White

Write-Host "\n[+] Assessment complete. Review critical findings." -ForegroundColor Cyan

Remediation

Immediate Actions (Next 24-48 Hours)

  1. Monitor Vendor Advisories: Subscribe to the Zero Day Initiative (ZDI) advisory feed and vendor security mailing lists for the specific 47 vulnerabilities. Expected patch timeline: 30-90 days depending on vendor SLAs.

  2. Zero-Day Defense Posture: Implement the following compensating controls while awaiting patches:

    • Enable Windows Defender Exploit Guard Attack Surface Reduction (ASR) rules, specifically:

      • "Block all Office applications from creating child processes"
      • "Block Office applications from creating executable content"
      • "Block Adobe Reader from creating child processes"
      • "Block Win32 API calls from Office macro"

    • Configure Memory Integrity (Core Isolation) on all Windows 10/11 endpoints: powershell

PowerShell
     Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -Value 1

  • Harden browser configurations via policy:

    Chrome: Enable SafeBrowsingExtendedReportingEnabled Edge: Enable PhishingFilterEnabled Firefox: Set safebrowsing.phishing.enabled = true

  1. Network Segmentation Review: Ensure browser-to-internet traffic is isolated from critical internal systems. Implement strict egress filtering.

Vendor-Specific Guidance

While specific CVEs are pending, expect patches from these vendors based on historical Pwn2Own Berlin targets:

Configuration Hardening

For Windows Endpoints:

PowerShell
# Enable all critical exploit protections
Set-ProcessMitigation -System -Enable ASLR, DEP, CFG, SEHOP
Set-ProcessMitigation -System -Enable BottomUp, HighEntropy


**For Linux Endpoints:**
Bash / Shell
# Enable kernel hardening (requires reboot)
sysctl -w kernel.randomize_va_space=2
sysctl -w kernel.kptr_restrict=2
sysctl -w kernel.dmesg_restrict=1

# Enable AppArmor/SELinux enforcing mode
aa-enforce /etc/apparmor.d/*
# OR
setenforce 1

Timeline Expectations

  • Day 1-7: Technical details limited to vendors only
  • Day 7-30: Patches released by major vendors (Google, Microsoft typically fastest)
  • Day 30-90: Remaining vendors release patches, detailed advisories published by ZDI
  • Day 90+: Full exploit PoCs released by ZDI (weaponization risk increases significantly)

CISA KEV and Regulatory Deadlines

While not yet in CISA KEV, once CVEs are assigned and patches released, federal agencies under BOD 22-01 have 15 days to patch. Industry guidance: treat as 7-day SLA for internet-facing systems, 30 days for internal endpoints.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringpwn2ownzero-dayvulnerability-managementpatch-management

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action