Pwn2Own Crushed by a 0‑Day Flood: Uncovering a Structural Security Crisis

Lead: In 2026 Pwn2Own Berlin set a 19‑year record because ZDI received an unprecedented number of 0‑day submissions and closed the doors, prompting researchers to disclose their findings publicly and creating a confidence crisis about vulnerability handling.

Event Characterization: Run‑on

Registration closed on 7 May; the competition opened on 14 May, giving only seven days between. In those seven days ZDI received more than 100 applications, a first in the event’s history.

“We apologize, I know everyone is preparing their projects, but what happened in the past 24 hours has never occurred in Pwn2Own history.”

Explosion Radius: One Rejection Undermines the Whole Attack Chain

Researcher “ggwhyp” prepared a full Firefox RCE chain: HTML page load → sandbox escape (CVE‑2026‑8401) → launch cmd.exe → execute calc.exe. The entry was rejected because “there were no slots”. He reported the vulnerability directly to Mozilla.

Mozilla responded within hours, releasing Firefox 150.0.3 that patched five high‑severity bugs, including CVE‑2026‑8401. All other teams targeting Firefox saw their attack chains become ineffective overnight, turning “0‑day” exploits into “n‑day” ones.

Similar rejections affected @xchglabs, who submitted 86 vulnerabilities across PyTorch, NVIDIA, Linux KVM, Oracle, Docker, Ollama, Chroma, LiteLLM, and llama.cpp, all denied. @FuzzingLabs’ Oracle AI database RCE was also rejected.

Root Cause Analysis: AI Opened the Box, ZDI Couldn’t Catch Up

In March 2026 ZDI announced official rules that, for the first time, split AI‑related targets into four independent categories: AI Databases, Coding Agents, Local Inferences, and NVIDIA products. The change followed the success of AI categories at Pwn2Own Vancouver 2025, where the prize pool exceeded $1 million .

AI dramatically lowered the barrier to finding vulnerabilities. Before 2025, discovering a usable browser 0‑day required months of work. In 2026, AI‑assisted fuzzing tools enabled a single researcher to produce dozens of RCE candidates within weeks; @xchglabs alone amassed 86 bugs, surpassing the total submissions of many previous editions.

The bottleneck lies in ZDI’s capacity, review process, and verification mechanisms, which were designed for the industrial era: each vulnerability required manual validation, on‑site demonstration, and judge scoring—steps that AI cannot accelerate.

Vulnerability output speed: AI‑driven researcher can produce 86+ RCEs vs. ZDI slots limited to a few dozen per event.

Verification cycle: Minutes‑level PoC generation vs. each vulnerability needing an on‑site demo.

Review mechanism: Automated initial screening vs. purely manual judge review.

Rule flexibility: Fixed competition track cannot scale quickly vs. inability to add extra competition days.

Third Wave Impact: 90‑Day Coordinated Vulnerability Disclosure Policy Is Failing

Traditional CVD assumes a linear flow: discover → submit to vendor → vendor patches within 90 days → public disclosure. Pwn2Own operates as an accelerated CVD auction: submit → live demo → immediate verdict → bounty.

When submission volume exceeds processing capacity, the “first‑come‑first‑served” fairness assumption collapses. Moreover, a submission can render a vulnerability ineffective because other researchers’ public disclosures trigger rapid vendor patches. This shifts the rational strategy from “wait 90 days” or “follow the rules” to “publish first to control the outcome”.

ggwhyp chose responsible disclosure by reporting directly to Mozilla, but his experience shows that if rule‑based submission leads to rejection, researchers may ignore the rules.

Reconstructed Timeline

2026‑03‑11: ZDI announces Berlin rules, first split of AI categories, prize pool > $1 M.

2026‑05‑07: Registration closed; ZDI receives >100 applications in 24 h and declares capacity limit.

May 2026: ggwhyp’s Firefox full‑chain RCE is rejected; he reports directly to Mozilla.

~2026‑05‑13: Mozilla urgently releases Firefox 150.0.3, fixing five high‑severity bugs including CVE‑2026‑8401.

2026‑05‑14: Pwn2Own Berlin opens; previously prepared Firefox attack chains become invalid.

2026‑05‑19 (planned): Mozilla plans weekly security updates for Firefox 151 onward, shifting from a monthly cadence.

Open Questions: What Vulnerability‑Handling Architecture Does the Industry Need?

When “submission equals invalidation” becomes the norm, where will researchers’ incentives come from?

Do vulnerability platforms need “elastic capacity” to handle unpredictable AI‑driven submission volumes?

Is the fixed “competition day” format outdated given the multi‑fold increase in submissions?

How should security responsibility be allocated for open‑source AI frameworks that lack enterprise‑grade response capabilities?

IOC Summary

CVE: CVE‑2026‑8401 (Firefox sandbox escape), CVE‑2026‑8390 (JavaScript UAF discovered by an OpenAI tool).

Affected Versions: Firefox < 150.0.3.

Impacted Projects: PyTorch, NVIDIA Container Toolkit, Linux KVM, Oracle AI DB, Docker, Ollama, Chroma, LiteLLM, llama.cpp.

Event Time: 7 May – 14 May 2026.

Mitigation Advice: Update Firefox to 150.0.3 immediately; audit AI framework API exposure; tighten container runtime permission policies.