On May 11, 2026, Google’s Threat Intelligence Group confirmed what cybersecurity experts had been warning about for years: a criminal group used AI to build a working zero-day exploit targeting a widely-used web administration tool. Google intercepted it before deployment in what they described as a planned “mass exploitation event.” Three days later, Pwn2Own Berlin 2026 opened — and promptly broke records. Researchers uncovered 39+ zero-days in just two days, earning over $908,000 in bounties. For the first time in its 19-year history, the contest hit full capacity, with 150+ researchers turned away. Some released their exploits publicly in retaliation. AI is no longer just defending networks. It’s now attacking them.
What Happened — Google’s AI Zero-Day Discovery
On May 11, Google’s Threat Intelligence Group published a landmark finding: a cybercrime group had used an AI system to generate a working zero-day exploit. The target was a widely-used open-source web-based system administration tool. The exploit leveraged a semantic logic error — a type of vulnerability where individual code components work correctly, but their combined behavior creates an exploitable flaw.
What makes this different from previous AI-assisted hacking attempts is that the AI didn’t just help find the vulnerability — it helped construct the exploit chain itself, connecting application behaviors that could be abused together. Google blocked the exploit before it could be deployed.
Previous AI involvement in cybersecurity was mostly defensive — scanning code, detecting anomalies, prioritizing patches. This is the first confirmed case where AI was used offensively by criminals to build a zero-day from scratch. The barrier to creating sophisticated exploits has dropped dramatically. You no longer need a team of elite hackers — you need an AI model and the right prompts.
Pwn2Own Berlin 2026 — The Numbers
Just days after Google’s announcement, Pwn2Own Berlin 2026 proved the point at scale. The world’s most prestigious hacking competition, run by Trend Micro’s Zero Day Initiative (ZDI), saw an unprecedented flood of submissions.
Day One — 24 Zero-Days, $523K
DEVCORE’s Orange Tsai chained 4 logic vulnerabilities to execute a full sandbox escape on Microsoft Edge, earning $175,000. Windows 11 was compromised through heap-based buffer overflows and use-after-free bugs. LiteLLM, an AI framework, fell to a 3-bug chain including SSRF and code injection.
Day Two — 15 More Zero-Days, $385K
AI coding tools became prime targets. Researchers exploited Cursor (the AI code editor), LM Studio (local inference platform), and OpenAI Codex. Combined totals: $908,750 paid, 39 unique zero-days confirmed, and DEVCORE leading with 40.5 Master of Pwn points.
The Overflow Crisis — 150+ Researchers Rejected
For the first time in 19 years, Pwn2Own ran out of slots. ZDI closed registration on May 7 because they simply couldn’t process more submissions within the 3-day contest window. Over 150 researchers were turned away.
The result? A wave of “revenge disclosures.” One group alone — xchglabs — had 86 vulnerabilities ready for NVIDIA, Docker, Linux KVM, and PyTorch. Unable to compete for the million-dollar prize pool, they began releasing findings publicly and directly to vendors.
Why this matters for everyone: These aren’t theoretical risks. The vulnerabilities disclosed outside Pwn2Own target infrastructure that powers AI training, container orchestration, and enterprise GPU computing. Until vendors patch them, they represent live attack surfaces. AI-assisted vulnerability research is now generating exploits faster than any institution can triage them.
AI Targets at Pwn2Own 2026
This year’s competition introduced 4 dedicated AI categories for the first time — a recognition that AI platforms are now critical attack surfaces:
• AI Coding Agents: Claude Code, GitHub Copilot, Cursor
• Local Inference: Ollama, LM Studio
• AI Databases: Vector stores
• NVIDIA Infrastructure: CUDA Toolkit, NV Container Toolkit, Megatron Bridge
These tools are now running inside enterprise environments worldwide. A vulnerability in Cursor or Copilot could compromise every developer using them.
What This Means for You
• AI lowers the skill barrier for building exploits
• Zero-days are being found faster than they can be patched
• AI tools themselves are becoming attack targets
• “Revenge disclosures” create unpatched public vulnerabilities
• Update all software immediately when patches drop
• Enable automatic updates on OS, browsers, and AI tools
• Use a password manager + hardware security keys
• Monitor AI tool changelogs — they’re now attack vectors
• For enterprises: audit AI tool permissions and network access
Key Takeaways
AI built a zero-day. Google confirmed the first known case of criminals using AI to create a working exploit. It was intercepted before deployment.
39+ zero-days at Pwn2Own Berlin. $908K+ in bounties across 2 days. Windows 11, Edge, Cursor, LM Studio, and OpenAI Codex all compromised.
First-ever Pwn2Own capacity crisis. 150+ researchers rejected. Some released 86+ vulns publicly in retaliation — a “revenge disclosure” wave.
AI platforms are now attack surfaces. Pwn2Own 2026 added 4 AI categories: coding agents, local inference, vector databases, and NVIDIA infrastructure.
Update everything, now. AI is finding vulnerabilities faster than humans can patch them. Automatic updates and proactive security hygiene are non-negotiable.