---

title: "Pwn2Own Berlin 2026, Day Three: DEVCORE Crowned Master of Pwn, $1.298 Million Total"
source: newsletter
source_url: https://securityaffairs.com/192250/hacking/pwn2own-berlin-2026-day-three-devcore-crowned-master-of-pwn-1-298-million-total.html
fetcher: jina
tags: [securityaffairs]
created: 2026-05-19
updated: 2026-05-19
sha256: 9de91c05d92f9af5

---
# Pwn2Own Berlin 2026, Day Three: DEVCORE Crowned Master of Pwn, $1.298 Million Total
Published Time: 2026-05-17T00:41:06+00:00
Markdown Content:
[![Image 3](https://securityaffairs.com/wp-content/themes/security_affairs/images/menu-icon.svg)](javascript:void(0);)
[](https://www.facebook.com/sec.affairs/)[](https://twitter.com/securityaffairs)
[![Image 4](https://securityaffairs.com/wp-content/uploads/2023/08/logo.png)](https://securityaffairs.com/)
*   [Home](https://securityaffairs.com/)
*   [Cyber Crime](https://securityaffairs.com/category/cyber-crime)
*   [Cyber warfare](https://securityaffairs.com/category/cyber-warfare-2)
*   [APT](https://securityaffairs.com/category/apt)
*   [Data Breach](https://securityaffairs.com/category/data-breach)
*   [Deep Web](https://securityaffairs.com/category/deep-web)
*   [Hacking](https://securityaffairs.com/category/hacking)
*   [Hacktivism](https://securityaffairs.com/category/hacktivism)
*   [Intelligence](https://securityaffairs.com/category/intelligence)
*   [Artificial Intelligence](https://securityaffairs.com/category/ai)
*   [Internet of Things](https://securityaffairs.com/category/iot)
*   [Laws and regulations](https://securityaffairs.com/category/laws-and-regulations)
*   [Malware](https://securityaffairs.com/category/malware)
*   [Mobile](https://securityaffairs.com/category/mobile-2)
*   [Reports](https://securityaffairs.com/category/reports)
*   [Security](https://securityaffairs.com/category/security)
*   [Social Networks](https://securityaffairs.com/category/social-networks)
*   [Terrorism](https://securityaffairs.com/category/terrorism)
*   [ICS-SCADA](https://securityaffairs.com/category/ics-scada)
*   [Crypto](https://securityaffairs.com/category/digital-id)
*   [POLICIES](https://securityaffairs.com/extended-cookie-policy)
*   [Contact me](https://securityaffairs.com/contact)
[![Image 5](https://securityaffairs.com/wp-content/themes/security_affairs/images/menu-icon.svg)](javascript:void(0);)
[MUST READ](https://securityaffairs.com/must-read/)
[ShinyHunters hack 7-Eleven: franchisee data and Salesforce records exposed](https://securityaffairs.com/192336/data-breach/shinyhunters-hack-7-eleven-franchisee-data-and-salesforce-records-exposed.html)
|
[Public Amazon bucket leaks sensitive guest data from Japanese hotel platform Tabiq](https://securityaffairs.com/192302/data-breach/public-amazon-bucket-leaks-sensitive-guest-data-from-japanese-hotel-platform-tabiq.html)
|
[Chaotic Eclipse discloses MiniPlasma zero-day, suggesting a missing or undone 2020 Windows security fix](https://securityaffairs.com/192325/hacking/chaotic-eclipse-discloses-miniplasma-zero-day-suggesting-a-missing-or-undone-2020-windows-security-fix.html)
|
[Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945](https://securityaffairs.com/192289/hacking/experts-warn-of-active-exploitation-of-critical-nginx-flaw-cve-2026-42945.html)
|
[SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 97](https://securityaffairs.com/192278/security/security-affairs-malware-newsletter-round-97.html)
|
[Security Affairs newsletter Round 577 by Pierluigi Paganini – INTERNATIONAL EDITION](https://securityaffairs.com/192269/security/security-affairs-newsletter-round-577-by-pierluigi-paganini-international-edition.html)
|
[Attackers exploit Funnel Builder bug to inject e-skimmers into e-stores](https://securityaffairs.com/192260/cyber-crime/attackers-exploit-funnel-builder-bug-to-inject-e-skimmers-into-e-stores.html)
|
[Pwn2Own Berlin 2026, Day Three: DEVCORE Crowned Master of Pwn, $1.298 Million Total](https://securityaffairs.com/192250/hacking/pwn2own-berlin-2026-day-three-devcore-crowned-master-of-pwn-1-298-million-total.html)
|
[U.S. CISA adds a flaw in Microsoft Exchange Server to its Known Exploited Vulnerabilities catalog](https://securityaffairs.com/192240/hacking/u-s-cisa-adds-a-flaw-in-microsoft-exchange-server-to-its-known-exploited-vulnerabilities-catalog.html)
|
[OpenAI hit by supply chain attack linked to malicious TanStack packages](https://securityaffairs.com/192222/hacking/openai-hit-by-supply-chain-attack-linked-to-malicious-tanstack-packages.html)
|
[Pwn2Own Berlin 2026, Day Two: $385,750 more, Microsoft Exchange falls, and the running total crosses $900K](https://securityaffairs.com/192209/security/pwn2own-berlin-2026-day-two-385750-more-microsoft-exchange-falls-and-the-running-total-crosses-900k.html)
|
[CVE-2026-42897: Microsoft confirms active exploitation of Exchange Server zero-day](https://securityaffairs.com/192204/security/cve-2026-42897-microsoft-confirms-active-exploitation-of-exchange-server-zero-day.html)
|
[Ghostwriter group resumes attacks on Ukrainian Government targets](https://securityaffairs.com/192196/apt/ghostwriter-group-resumes-attacks-on-ukrainian-government-targets.html)
|
[Researchers uncover YellowKey and GreenPlasma Windows Zero-Days](https://securityaffairs.com/192173/hacking/researchers-uncover-yellowkey-and-greenplasma-windows-zero-days.html)
|
[Pwn2Own Berlin 2026, Day One: $523,000 paid out, AI products fall](https://securityaffairs.com/192183/hacking/pwn2own-berlin-2026-day-one-523000-paid-out-ai-products-fall.html)
|
[U.S. CISA adds a flaw in Cisco Catalyst SD-WAN to its Known Exploited Vulnerabilities catalog](https://securityaffairs.com/192157/hacking/u-s-cisa-adds-a-flaw-in-cisco-catalyst-sd-wan-to-its-known-exploited-vulnerabilities-catalog.html)
|
[Linux Kernel bug Fragnesia allows local root access attacks](https://securityaffairs.com/192145/security/linux-kernel-bug-fragnesia-allows-local-root-access-attacks.html)
|
[Broadcom releases VMware Fusion security update for root access bug](https://securityaffairs.com/192136/security/broadcom-releases-vmware-fusion-security-update-for-root-access-bug.html)
|
[NGINX Rift: an 18-year-old flaw in the world's most deployed web server just came to light](https://securityaffairs.com/192132/hacking/nginx-rift-an-18-year-old-flaw-in-the-worlds-most-deployed-web-server-just-came-to-light.html)
|
[FamousSparrow targets Azerbaijani energy sector in multi-wave espionage campaign](https://securityaffairs.com/192113/apt/famoussparrow-targets-azerbaijani-energy-sector-in-multi-wave-espionage-campaign.html)
|
*   [Home](https://securityaffairs.com/)
*   [Cyber Crime](https://securityaffairs.com/category/cyber-crime)
*   [Cyber warfare](https://securityaffairs.com/category/cyber-warfare-2)
*   [APT](https://securityaffairs.com/category/apt)
*   [Data Breach](https://securityaffairs.com/category/data-breach)
*   [Deep Web](https://securityaffairs.com/category/deep-web)
*   [Hacking](https://securityaffairs.com/category/hacking)
*   [Hacktivism](https://securityaffairs.com/category/hacktivism)
*   [Intelligence](https://securityaffairs.com/category/intelligence)
*   [Artificial Intelligence](https://securityaffairs.com/category/ai)
*   [Internet of Things](https://securityaffairs.com/category/iot)
*   [Laws and regulations](https://securityaffairs.com/category/laws-and-regulations)
*   [Malware](https://securityaffairs.com/category/malware)
*   [Mobile](https://securityaffairs.com/category/mobile-2)
*   [Reports](https://securityaffairs.com/category/reports)
*   [Security](https://securityaffairs.com/category/security)
*   [Social Networks](https://securityaffairs.com/category/social-networks)
*   [Terrorism](https://securityaffairs.com/category/terrorism)
*   [ICS-SCADA](https://securityaffairs.com/category/ics-scada)
*   [Crypto](https://securityaffairs.com/category/digital-id)
*   [POLICIES](https://securityaffairs.com/extended-cookie-policy)
*   [Contact me](https://securityaffairs.com/contact)
[![Image 6](https://securityaffairs.com/wp-content/themes/security_affairs/images/resecurity_banner_header_mobile.png)](https://resecurity.com/)
*   [Home](https://securityaffairs.com/)
*   [Hacking](https://securityaffairs.com/category/hacking)
*   [Security](https://securityaffairs.com/category/security)
*   Pwn2Own Berlin 2026, Day Three: DEVCORE Crowned Master of Pwn, $1.298 Million Total
## Pwn2Own Berlin 2026, Day Three: DEVCORE Crowned Master of Pwn, $1.298 Million Total
_![Image 7](https://securityaffairs.com/wp-content/themes/security\_affairs/images/user-icon.svg)_[Pierluigi Paganini](https://securityaffairs.com/author/paganinip)_![Image 8](https://securityaffairs.com/wp-content/themes/security\_affairs/images/clock-icon.svg)_ May 17, 2026
![Image 9](https://i0.wp.com/securityaffairs.com/wp-content/uploads/2026/05/image-49.png?fit=1920%2C1080&ssl=1)
## Pwn2Own Berlin 2026 ended with 47 zero-days and $1.29M in payouts, as DEVCORE dominated the competition across all categories.
[Pwn2Own Berlin 2026](https://www.zerodayinitiative.com/blog/2026/5/16/pwn2own-berlin-2026-day-three-results-and-master-of-pwn) ended after three intense days, with participants discovering 47 unique zero-days, and earning $1,298,250 in total payouts. [Pwn2Own Berlin 2026](https://www.zerodayinitiative.com/blog/2026/5/16/pwn2own-berlin-2026-day-three-results-and-master-of-pwn) wrapped up at OffensiveCon on Saturday with a final day that sealed DEVCORE’s dominance across every metric that matters.
> That's a wrap on Pwn2Own Berlin 2026! 🏆 $1,298,250 awarded. 47 unique 0-days. 3 days of absolute chaos. And talk about main character energy – congrats to DEVCORE for claiming Master of Pwn with 50.5 points and $505,000 – they never slowed down. See you next year! [#Pwn2Own](https://twitter.com/hashtag/Pwn2Own?src=hash&ref_src=twsrc%5Etfw)… [pic.twitter.com/ZcWN8VPLDS](https://t.co/ZcWN8VPLDS)
> 
> — TrendAI Zero Day Initiative (@thezdi) [May 16, 2026](https://twitter.com/thezdi/status/2055710224321778112?ref_src=twsrc%5Etfw)
Going into day three, DEVCORE held a commanding lead with 40.5 Master of Pwn points and $405,000, a gap that most competitors could not realistically close in a single day. But the final schedule still had serious targets on it, including Microsoft SharePoint, VMware ESXi, and further attempts against Windows 11, Red Hat Enterprise Linux, and OpenAI Codex. Plenty of room for the scoreboard to shift, and plenty of incentive for researchers who had been waiting for the right moment.
One of the most significant results of the day came from splitline of the DEVCORE Research Team, who chained two bugs together to successfully exploit Microsoft SharePoint, collecting $100,000 and 10 Master of Pwn points in the process. SharePoint had survived a failed attempt by Rapid7’s Stephen Fewer on day two, making this a vindication of sorts for a target that had initially looked like it might escape the competition unscathed. Two bugs, one successful chain, and another Microsoft server product joins the list of things that got compromised in Berlin this week.
> Booyah it's been confirmed! 🎉 splitline ([@_splitline_](https://twitter.com/_splitline_?ref_src=twsrc%5Etfw)) of DEVCORE Research Team chained 2 bugs to exploit Microsoft SharePoint, earning $100,000 and 10 Master of Pwn points. Massive aura farming this year at [#P2OBerlin](https://twitter.com/hashtag/P2OBerlin?src=hash&ref_src=twsrc%5Etfw). Full win! [#Pwn2Own](https://twitter.com/hashtag/Pwn2Own?src=hash&ref_src=twsrc%5Etfw)[pic.twitter.com/b1dh2MuXDq](https://t.co/b1dh2MuXDq)
> 
> — TrendAI Zero Day Initiative (@thezdi) [May 16, 2026](https://twitter.com/thezdi/status/2055675838293491781?ref_src=twsrc%5Etfw)
That result alone was enough to make the final outcome mathematically settled. DEVCORE finished the three-day competition with 50.5 Master of Pwn points and $505,000, a performance with no precedent in recent editions of the contest. STARLabs SG came in second place with 25 points and $242,500, followed by Out Of Bounds in third with 12.75 points and $95,750.
The researchers Nguyen Hoang Thach ([@hi_im_d4rkn3ss](https://x.com/hi_im_d4rkn3ss)) of STARLabs SG ([@starlabs_sg](https://x.com/starlabs_sg)) exploited a Memory Corruption bug to target VMware ESXi with the Cross-tenant Code Execution add-on, earning $200,000 and 20 Master of Pwn points.
> Mind blown alert 🤯! Nguyen Hoang Thach ([@hi_im_d4rkn3ss](https://twitter.com/hi_im_d4rkn3ss?ref_src=twsrc%5Etfw)) of STARLabs SG ([@starlabs_sg](https://twitter.com/starlabs_sg?ref_src=twsrc%5Etfw)) used a Memory Corruption bug to exploit VMware ESXi with the Cross-tenant Code Execution add-on, earning a sweeeeeet $200,000 and 20 Master of Pwn points. Full win let's go! [#Pwn2Own](https://twitter.com/hashtag/Pwn2Own?src=hash&ref_src=twsrc%5Etfw)… [pic.twitter.com/4f2MFuetjS](https://t.co/4f2MFuetjS)
> 
> — TrendAI Zero Day Initiative (@thezdi) [May 16, 2026](https://twitter.com/thezdi/status/2055681691054682523?ref_src=twsrc%5Etfw)
OpenAI’s Codex coding agent, already compromised twice on day one, took another hit on the final day. Satoki Tsuji of Ikotas Labs abused an external control vulnerability to exploit the platform and demonstrate code execution, earning $20,000 and 4 Master of Pwn points. Codex was successfully exploited three separate times across the competition by three different researchers, a pattern that should prompt serious reflection inside OpenAI’s security organization. Each exploit used a different technique, meaning the attack surface is not a single narrow flaw but something broader.
Anthropic’s Claude Code, which was on the schedule as a target, was approached by Compass Security, who had already collected $40,000 for hacking OpenAI Codex on day one. Their Claude Code attempt hit a one-vulnerability collision with a previous entry, earning $20,000 and 2 Master of Pwn points rather than a full win.
A collision means part of what they found was already known from a prior submission — frustrating, but still a partial result that confirms working research was in hand.
> Collision! While Byung Young Yi ([@yibarrack](https://twitter.com/yibarrack?ref_src=twsrc%5Etfw)) of Out Of Bounds successfully demonstrated their exploit of Anthropic Claude Code, the bug used had been previously disclosed. They still earn $20,000 and 2 Master of Pwn points. [#Pwn2Own](https://twitter.com/hashtag/Pwn2Own?src=hash&ref_src=twsrc%5Etfw)[#P2OBerlin](https://twitter.com/hashtag/P2OBerlin?src=hash&ref_src=twsrc%5Etfw)[pic.twitter.com/Egl1R8XNig](https://t.co/Egl1R8XNig)
> 
> — TrendAI Zero Day Initiative (@thezdi) [May 16, 2026](https://twitter.com/thezdi/status/2055701927040561611?ref_src=twsrc%5Etfw)
The pattern that defined the entire competition continued on the final day. Viettel Cyber Security’s Le Tran Hai Tung, dungnm, and hieuvd used an integer overflow to escalate privileges on a fully patched Windows 11 machine in the fifth round, adding $7,500 and 3 Master of Pwn points to their tally. Windows 11 was exploited successfully multiple times across all three days by multiple independent teams, each using a different vulnerability. By the end of the competition it had become one of the most-targeted and most-compromised systems in Berlin.
Red Hat Enterprise Linux for Workstations also continued to absorb hits. Sina Kheirkhah of Summoning Team used two bugs to exploit the platform, though one was a previously known issue, landing him in partial-credit territory at $7,000 and 1.5 Master of Pwn points. Hyunwoo Kim separately chained a use-after-free and an uninitialized memory bug for a clean privilege escalation win on the same platform, earning $5,000 and 2 Master of Pwn points.
Vendors now have 90 days to release fixes before technical details become public.
Last year’s Berlin edition paid out [$1,078,750](https://securityaffairs.com/178040/hacking/pwn2own-berlin-2025-total-prize-money-reached-1078750.html). This year crossed $1.298 million, a 20 percent increase, with eight more unique vulnerabilities discovered. The growth in both numbers reflects something real: more researchers are participating, targets are diversifying well beyond traditional browsers and operating systems into AI infrastructure and developer tooling, and the economics of vulnerability research at this level continue to attract serious talent.
DEVCORE’s dominance this year was total. That is not luck. That is a research program operating at a consistently high level across an entire week of competition.
[![Image 10](https://i0.wp.com/securityaffairs.com/wp-content/uploads/2026/05/image-49.png?resize=1024%2C576&ssl=1)](https://i0.wp.com/securityaffairs.com/wp-content/uploads/2026/05/image-49.png?ssl=1)
The complete list of results of Pwn2Own Berlin 2026 Day Three is available [here](https://www.zerodayinitiative.com/blog/2026/5/16/pwn2own-berlin-2026-day-three-results-and-master-of-pwn).
**Follow me on Twitter:**[**@securityaffairs**](https://twitter.com/securityaffairs)**and**[**Facebook**](https://www.facebook.com/sec.affairs)**and**[**Mastodon**](https://infosec.exchange/@securityaffairs)
[**Pierluigi Paganini**](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)
**(**[**SecurityAffairs**](http://securityaffairs.co/wordpress/)**–hacking,[Pwn2Own Berlin 2026](https://securityaffairs.com/tag/pwn2own-berlin-2026))**
* * *
[facebook](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fsecurityaffairs.com%2F192250%2Fhacking%2Fpwn2own-berlin-2026-day-three-devcore-crowned-master-of-pwn-1-298-million-total.html)[linkedin](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fsecurityaffairs.com%2F192250%2Fhacking%2Fpwn2own-berlin-2026-day-three-devcore-crowned-master-of-pwn-1-298-million-total.html)[twitter](https://twitter.com/share?text=Pwn2Own+Berlin+2026%2C+Day+Three%3A+DEVCORE+Crowned+Master+of+Pwn%2C+%241.298+Million+Total+-&url=https%3A%2F%2Fsecurityaffairs.com%2F192250%2Fhacking%2Fpwn2own-berlin-2026-day-three-devcore-crowned-master-of-pwn-1-298-million-total.html&counturl=https%3A%2F%2Fsecurityaffairs.com%2F192250%2Fhacking%2Fpwn2own-berlin-2026-day-three-devcore-crowned-master-of-pwn-1-298-million-total.html)
* * *
[Hacking](https://securityaffairs.com/tag/hacking)[hacking news](https://securityaffairs.com/tag/hacking-news)[information security news](https://securityaffairs.com/tag/information-security-news)[IT Information Security](https://securityaffairs.com/tag/it-information-security)[Pierluigi Paganini](https://securityaffairs.com/tag/pierluigi-paganini)[Pwn2Own](https://securityaffairs.com/tag/pwn2own)[Pwn2Own Berlin 2026](https://securityaffairs.com/tag/pwn2own-berlin-2026)[Security Affairs](https://securityaffairs.com/tag/security-affairs)[Security News](https://securityaffairs.com/tag/security-news)
#### you might also like
[![Image 11](https://securityaffairs.com/wp-content/uploads/2026/05/image-52.png)](https://securityaffairs.com/192336/data-breach/shinyhunters-hack-7-eleven-franchisee-data-and-salesforce-records-exposed.html)
_![Image 12](https://securityaffairs.com/wp-content/themes/security\_affairs/images/user-icon.svg)_[Pierluigi Paganini](https://securityaffairs.com/author/paganinip)_![Image 13](https://securityaffairs.com/wp-content/themes/security\_affairs/images/clock-icon.svg)_ May 18, 2026
##### [ShinyHunters hack 7-Eleven: franchisee data and Salesforce records exposed](https://securityaffairs.com/192336/data-breach/shinyhunters-hack-7-eleven-franchisee-data-and-salesforce-records-exposed.html)
[Read more](https://securityaffairs.com/192336/data-breach/shinyhunters-hack-7-eleven-franchisee-data-and-salesforce-records-exposed.html)
[![Image 14](https://securityaffairs.com/wp-content/uploads/2019/10/data-leak-US-Government.jpg)](https://securityaffairs.com/192302/data-breach/public-amazon-bucket-leaks-sensitive-guest-data-from-japanese-hotel-platform-tabiq.html)
_![Image 15](https://securityaffairs.com/wp-content/themes/security\_affairs/images/user-icon.svg)_[Pierluigi Paganini](https://securityaffairs.com/author/paganinip)_![Image 16](https://securityaffairs.com/wp-content/themes/security\_affairs/images/clock-icon.svg)_ May 18, 2026
##### [Public Amazon bucket leaks sensitive guest data from Japanese hotel platform Tabiq](https://securityaffairs.com/192302/data-breach/public-amazon-bucket-leaks-sensitive-guest-data-from-japanese-hotel-platform-tabiq.html)
[Read more](https://securityaffairs.com/192302/data-breach/public-amazon-bucket-leaks-sensitive-guest-data-from-japanese-hotel-platform-tabiq.html)
#### leave a comment
#### newsletter
###### Subscribe to my email list and stay
 up-to-date!
#### recent articles
[![Image 17](https://securityaffairs.com/wp-content/uploads/2026/05/image-52.png)](https://securityaffairs.com/192336/data-breach/shinyhunters-hack-7-eleven-franchisee-data-and-salesforce-records-exposed.html)
###### [ShinyHunters hack 7-Eleven: franchisee data and Salesforce records exposed](https://securityaffairs.com/192336/data-breach/shinyhunters-hack-7-eleven-franchisee-data-and-salesforce-records-exposed.html)
[Data Breach](https://securityaffairs.com/category/data-breach)/ May 18, 2026
[![Image 18](https://securityaffairs.com/wp-content/uploads/2019/10/data-leak-US-Government.jpg)](https://securityaffairs.com/192302/data-breach/public-amazon-bucket-leaks-sensitive-guest-data-from-japanese-hotel-platform-tabiq.html)
###### [Public Amazon bucket leaks sensitive guest data from Japanese hotel platform Tabiq](https://securityaffairs.com/192302/data-breach/public-amazon-bucket-leaks-sensitive-guest-data-from-japanese-hotel-platform-tabiq.html)
[Data Breach](https://securityaffairs.com/category/data-breach)/ May 18, 2026
[![Image 19](https://securityaffairs.com/wp-content/uploads/2026/05/image-51.png)](https://securityaffairs.com/192325/hacking/chaotic-eclipse-discloses-miniplasma-zero-day-suggesting-a-missing-or-undone-2020-windows-security-fix.html)
###### [Chaotic Eclipse discloses MiniPlasma zero-day, suggesting a missing or undone 2020 Windows security fix](https://securityaffairs.com/192325/hacking/chaotic-eclipse-discloses-miniplasma-zero-day-suggesting-a-missing-or-undone-2020-windows-security-fix.html)
[Hacking](https://securityaffairs.com/category/hacking)/ May 18, 2026
[![Image 20](https://securityaffairs.com/wp-content/uploads/2022/04/nginx.webp)](https://securityaffairs.com/192289/hacking/experts-warn-of-active-exploitation-of-critical-nginx-flaw-cve-2026-42945.html)
###### [Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945](https://securityaffairs.com/192289/hacking/experts-warn-of-active-exploitation-of-critical-nginx-flaw-cve-2026-42945.html)
[Hacking](https://securityaffairs.com/category/hacking)/ May 18, 2026
[![Image 21](https://securityaffairs.com/wp-content/uploads/2024/07/SecurityAffairs-malware-newsletter-2.png)](https://securityaffairs.com/192278/security/security-affairs-malware-newsletter-round-97.html)
###### [SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 97](https://securityaffairs.com/192278/security/security-affairs-malware-newsletter-round-97.html)
[Security](https://securityaffairs.com/category/security)/ May 17, 2026
[![Image 22](https://securityaffairs.com/wp-content/uploads/2024/03/Resecurity-Banner.jpg)](https://resecurity.com/)
[![Image 23](https://securityaffairs.com/wp-content/uploads/2023/08/footer-logo.png)](https://securityaffairs.com/)
To contact me write an email to:
 Pierluigi Paganini : 
[[email protected]](https://securityaffairs.com/cdn-cgi/l/email-protection#05756c607769706c626c2b756462646b6c6b6c4576606670776c717c646363646c77762b666a)
[LEARN MORE](https://securityaffairs.com/contact/)
#### QUICK LINKS
*   [Home](https://securityaffairs.com/)
*   [Cyber Crime](https://securityaffairs.com/category/cyber-crime)
*   [Cyber warfare](https://securityaffairs.com/category/cyber-warfare-2)
*   [APT](https://securityaffairs.com/category/apt)
*   [Data Breach](https://securityaffairs.com/category/data-breach)
*   [Deep Web](https://securityaffairs.com/category/deep-web)
*   [Hacking](https://securityaffairs.com/category/hacking)
*   [Hacktivism](https://securityaffairs.com/category/hacktivism)
*   [Intelligence](https://securityaffairs.com/category/intelligence)
*   [Artificial Intelligence](https://securityaffairs.com/category/ai)
*   [Internet of Things](https://securityaffairs.com/category/iot)
*   [Laws and regulations](https://securityaffairs.com/category/laws-and-regulations)
*   [Malware](https://securityaffairs.com/category/malware)
*   [Mobile](https://securityaffairs.com/category/mobile-2)
*   [Reports](https://securityaffairs.com/category/reports)
*   [Security](https://securityaffairs.com/category/security)
*   [Social Networks](https://securityaffairs.com/category/social-networks)
*   [Terrorism](https://securityaffairs.com/category/terrorism)
*   [ICS-SCADA](https://securityaffairs.com/category/ics-scada)
*   [Crypto](https://securityaffairs.com/category/digital-id)
*   [POLICIES](https://securityaffairs.com/extended-cookie-policy)
*   [Contact me](https://securityaffairs.com/contact)
Copyright@securityaffairs 2024
[](https://www.facebook.com/sec.affairs/)[](https://twitter.com/securityaffairs)
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
[Cookie Settings](https://securityaffairs.com/192250/hacking/pwn2own-berlin-2026-day-three-devcore-crowned-master-of-pwn-1-298-million-total.html)[Accept All](https://securityaffairs.com/192250/hacking/pwn2own-berlin-2026-day-three-devcore-crowned-master-of-pwn-1-298-million-total.html)
Manage consent
Close
#### Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
[](https://securityaffairs.com/192250/hacking/pwn2own-berlin-2026-day-three-devcore-crowned-master-of-pwn-1-298-million-total.html)
[Necessary](https://securityaffairs.com/192250/hacking/pwn2own-berlin-2026-day-three-devcore-crowned-master-of-pwn-1-298-million-total.html)
- [x] Necessary 
Always Enabled
 Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information. 
[Non-necessary](https://securityaffairs.com/192250/hacking/pwn2own-berlin-2026-day-three-devcore-crowned-master-of-pwn-1-298-million-total.html)
- [x] Non-necessary 
 Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. 
[SAVE & ACCEPT](https://securityaffairs.com/192250/hacking/pwn2own-berlin-2026-day-three-devcore-crowned-master-of-pwn-1-298-million-total.html)