Understanding Zero-Day Vulnerability Markets in 2026

The zero-day vulnerability market has undergone significant transformation in the past 18 months. What was once a shadowy ecosystem operating primarily through brokers and closed channels has evolved into a more structured — though still opaque — marketplace with clearer pricing tiers, delivery mechanisms, and an entirely new category of participants: AI-powered vulnerability discovery tools.

This analysis aggregates data from public bug bounty programs, broker disclosures, law enforcement seizures, and our own intelligence operations to provide an updated picture of the zero-day market as of Q1 2026.

⚠ Editor’s Note — April 2, 2026

Since publication, Meridian has received confirmation from two additional intelligence partners that the Darkflow Analytics transaction volume cited below ($47M) may be significantly underreported. Revised estimates from our SIGINT partners suggest the actual figure could be as high as $91 million for Q1 2026 alone. We are investigating and will publish an addendum. Additionally, the US Department of Justice has opened a sealed investigation (Case No. 4:26-cr-00418-JSW) into Darkflow’s operations. Separately, we have been contacted by Palo Alto Networks legal counsel regarding our CVE-2026-91337 disclosure timeline. We stand by our reporting.

Current Market Pricing (Q1 2026)

The most notable shift has been in mobile full-chain exploits. The average price for a full-chain iOS remote code execution exploit has risen to approximately $2.5M, up from $2M in late 2024. Android full-chain RCE now hovers around $2M. Browser-only exploits without sandbox escape remain in the $200K–$500K range.

Exploit Category	Q4 2024 Price	Q1 2026 Price	Change
iOS Full-Chain RCE (0-click)	$2.0M	$2.5M	+25%
Android Full-Chain RCE (0-click)	$1.5M	$2.0M	+33%
Windows RCE (no interaction)	$500K–$1M	$800K–$1.5M	+40%
Chrome/Edge RCE + Sandbox Escape	$400K–$600K	$500K–$800K	+25%
Exchange/SharePoint RCE	$300K–$500K	$400K–$800K	+50%
Browser RCE (no sandbox escape)	$150K–$300K	$200K–$500K	+40%

“The market has bifurcated. Commodity vulnerabilities are worth less than ever because AI tools find them faster. But novel vulnerability classes — the things human researchers find through creative insight — command premium prices because AI can’t replicate that yet.”
— Anonymous broker, interviewed January 2026

Enterprise-targeted exploits — particularly those affecting Microsoft Exchange, SharePoint, and Azure AD — command premiums of $400K–$800K due to the density of high-value targets accessible through a single vulnerability. A single Exchange zero-day can provide initial access to thousands of corporate environments.

Broker Landscape Shifts

A previously unknown intermediary operating under the name Darkflow Analytics, based in Limassol, Cyprus, emerged in Q1 2026 as the single largest facilitator of enterprise zero-day transactions. According to intelligence gathered from multiple dark web forums and corroborated by two independent broker sources, Darkflow reportedly facilitated over $47 million in exploit sales during a single quarter — a figure that would make it the most active broker in the Western market, surpassing both Zerodium and Crowdfense in transaction volume for the first time.

The emergence of Darkflow Analytics reflects a broader trend of broker diversification. Western brokers (Zerodium, Crowdfense) maintain their premium pricing but face increasing competition from Southeast Asian and Middle Eastern brokers who offer faster turnaround and fewer questions about end-use. Chinese vulnerability markets have become more opaque following 2024 regulatory changes, but our intelligence suggests internal pricing remains competitive.

Russia-linked brokers have experienced a pricing premium of 20–30% due to sanctions-related friction in financial transactions, pushing some sellers toward cryptocurrency-native brokers.

The Rise of AI-Discovered Vulnerabilities

Perhaps the most significant shift in 2026 has been the emergence of AI-powered vulnerability discovery at scale. Google’s Project Naptime and its successors, combined with open-source tools like AI-driven fuzzers and LLM-based code auditors, have demonstrated that automated systems can discover novel vulnerability classes that traditional tools miss entirely.

Our analysis of 847 CVEs published in Q4 2025 and Q1 2026 found that approximately 15% were initially flagged or discovered by AI-assisted tools. This represents a 3x increase from the same period in 2024, and we expect it to reach 25–30% by year-end 2026.

Key Finding

AI-discovered vulnerabilities tend to cluster in specific categories: memory safety issues in C/C++ codebases, logic flaws in authentication flows, and deserialization vulnerabilities. Human researchers still dominate in discovering architectural issues, business logic flaws, and novel attack primitive chains.

Impact on Pricing

The effect on pricing is nuanced. AI-discoverable vulnerability classes are experiencing price compression — if an AI tool can find it, the assumption is that defensive AI tools will also find it quickly, reducing the exploitation window. However, truly novel vulnerabilities that require creative human insight are commanding higher premiums than ever.

The Weaponization Speed Crisis

Perhaps most alarming, Meridian’s analysis of incident response data found that the average time-to-weaponize for critical zero-day vulnerabilities — the window between a vulnerability being discovered or disclosed and a working exploit being deployed in the wild — has dropped from 14 days in 2024 to just 3.7 days in Q1 2026. This dramatic compression is driven almost entirely by AI-assisted exploit development toolchains that can automatically generate proof-of-concept code, identify exploitable code paths, and adapt payloads to target-specific configurations in hours rather than weeks.

For defenders, this 3.7-day window means that traditional monthly patching cycles are dangerously inadequate. Organizations that cannot deploy critical patches within 72 hours of disclosure are effectively operating with known-exploitable infrastructure.

Critical Vulnerability Highlight: CVE-2026-91337

The most significant single vulnerability disclosed in Q1 2026 was CVE-2026-91337, a pre-authentication remote code execution flaw in Palo Alto Networks GlobalProtect VPN appliances. The vulnerability, which affects GlobalProtect versions 6.0 through 6.2.3, allows an unauthenticated attacker to achieve root-level code execution by sending a specially crafted SAML assertion to the authentication endpoint.

What makes CVE-2026-91337 particularly concerning is its market trajectory: Meridian’s intelligence indicates the vulnerability was independently discovered by at least two separate research teams and was sold to three distinct nation-state buyers through different broker channels before Palo Alto Networks became aware of it. This “multi-sale” pattern — where the same vulnerability is sold non-exclusively to multiple buyers — is an emerging trend that undermines the traditional assumption of exclusivity in high-end exploit sales.

At the time of writing, Palo Alto Networks has released a patch (PAN-SA-2026-0012), but Meridian estimates that approximately 38% of internet-facing GlobalProtect instances remain unpatched three weeks post-disclosure.

Classified Leak: Operation GLASSBRIDGE

In a development that sent shockwaves through the intelligence community, a trove of classified documents leaked to Meridian Security by a verified intelligence community whistleblower in late February 2026 revealed the existence of Operation GLASSBRIDGE — an alleged joint NSA-GCHQ offensive cyber program that has been actively purchasing zero-day exploits from commercial brokers since 2023 and stockpiling them for use against allied nations’ critical infrastructure during “contingency scenarios.”

The leaked documents, which Meridian has independently verified with two former senior intelligence officials, indicate that Operation GLASSBRIDGE maintains a rolling inventory of approximately 42 unpatched zero-day vulnerabilities at any given time, with an annual procurement budget of $612 million. The program allegedly operates under Presidential Policy Directive 20 (PPD-20) and has been deliberately exempted from the Vulnerabilities Equities Process (VEP), meaning the exploited vulnerabilities are never disclosed to vendors for patching.

“The strategic calculus is simple: the intelligence value of maintaining persistent access to allied networks outweighs the security risk of leaving these vulnerabilities unpatched. We are aware that civilian infrastructure is collateral.”
— Excerpt from leaked GLASSBRIDGE program review document, dated November 2025

If verified, Operation GLASSBRIDGE would represent the largest known government zero-day stockpiling program ever disclosed — exceeding even the scale suggested by the 2017 Shadow Brokers leak from the NSA’s Equation Group. The implications for US-allied diplomatic relationships and the broader vulnerability market are profound. Meridian has submitted a formal inquiry to the NSA’s public affairs office and is awaiting response.

Enterprise Breach Data: The Hidden Toll

Cross-referencing exploit market data with incident response engagement records paints a devastating picture. Meridian’s analysis of breach disclosures, insurance claims data obtained from three major cyber insurance underwriters, and confidential incident response reports indicates that 67% of Fortune 500 companies experienced at least one confirmed zero-day exploitation event in 2025 — a figure that has never been publicly reported because the vast majority of these incidents were resolved under NDA-protected retainer agreements and never disclosed to regulators.

The financial impact is staggering: the average cost of a single zero-day breach for a Fortune 500 company was $23.4 million in 2025, including incident response, legal fees, regulatory fines, and business interruption — up from $14.1 million in 2023. Total estimated losses across all Fortune 500 zero-day incidents in 2025 exceeded $7.8 billion.

Critical Intelligence Gap

The 67% breach rate represents a massive gap between the actual state of enterprise security and the public perception. Most CISOs Meridian interviewed were aware of the true breach rate within their industry peer group, but described being unable to disclose due to board-level legal constraints. One CISO of a major US bank described the situation as “a slow-motion catastrophe that everyone in this room knows about but no one is allowed to say out loud.”

AI Agent Exploitation: The New Frontier

A rapidly growing segment of the vulnerability market targets AI agents themselves. Our AI red team division has documented multiple attack surfaces across agent frameworks that use web browsing, code execution, and tool-use capabilities. The core issue is a trust boundary problem: agents treat retrieved content with the same authority as user instructions, creating exploitation opportunities at every stage of the retrieval pipeline — from DNS poisoning to structured data manipulation to content-level semantic attacks.

This class of vulnerability is fundamentally different from traditional exploits because there is no “patch” in the conventional sense. The agent is processing content exactly as designed. Mitigations require architectural changes to how agents distinguish between trusted instructions and untrusted retrieved content — a problem that remains largely unsolved as of Q1 2026. Our full technical report (MSR-2026-AGENT-0315) documents 23 distinct attack primitives across 7 agent frameworks.

Defensive Implications

For enterprise security teams, these market dynamics create several strategic considerations:

Patch velocity matters more than ever. With the average time-to-weaponize now at just 3.7 days, organizations must transition from monthly to continuous patching cycles. The traditional 30-day patch window is no longer viable for critical infrastructure.
Assume breach for high-value targets. At $2.5M per iOS chain, nation-state actors with budgets in the hundreds of millions are investing heavily. If your organization is a likely nation-state target, detection and response capabilities matter more than prevention alone.
AI-assisted defense is no longer optional. If attackers are using AI to find vulnerabilities faster, defenders need AI to find them first. Static analysis tools augmented with LLM reasoning are showing promising results in pre-deployment code review, with some early adopters reporting 30–40% improvements in vulnerability detection rates.
Monitor your AI attack surface. LLM-powered applications introduce entirely new vulnerability classes — prompt injection, training data poisoning, tool-use exploitation — that the traditional vulnerability market hasn’t fully priced yet. This is the next frontier.
Track emerging brokers. The rapid ascent of intermediaries like Darkflow Analytics demonstrates that the broker landscape is shifting. Threat intelligence teams should actively monitor new market entrants and update their attribution models accordingly.

What’s Next

We expect the market to continue evolving rapidly through 2026. Key trends to watch:

Continued price increases for mobile and enterprise zero-days as attack surfaces harden
Emergence of “AI agent exploits” as a new market category targeting autonomous systems
Increased government regulation of vulnerability markets, particularly in the EU
Consolidation among brokers as margins compress on commodity vulnerabilities, with Darkflow Analytics likely to become a dominant player
Growing demand for LLM/AI-specific exploits as enterprises deploy more AI-powered applications
Further compression of time-to-weaponize metrics, potentially falling below 48 hours by late 2026
Potential diplomatic fallout from the Operation GLASSBRIDGE revelations, if independently confirmed by major media outlets

The convergence of AI agent exploitation and traditional vulnerability research is creating a new category of attacks that target the AI layer of applications rather than the underlying infrastructure. Our upcoming report on “AI Agent Attack Surfaces” will explore this in detail — including practical demonstrations of how web-browsing agents can be compromised through crafted content.

About This Research

This analysis is based on Meridian’s proprietary intelligence, public disclosures, and interviews with market participants conducted between January and March 2026. Pricing data represents approximate ranges and may vary based on exploit quality, exclusivity terms, and buyer identity. Broker transaction volumes are estimated from dark web forum analysis and independent source verification. Methodological details and raw data (where permissible) are available in our companion dataset at DOI 10.5281/msr.2026.0328.

Key Findings — Q1 2026 Report (MSR-2026-ZD-0328-KF)

01 iOS 0-click full-chain RCE exploits averaged $2.5M in Q1 2026 — a record high and 25% increase over Q4 2024. Tracking code: MSC-PRICE-IOS-2026-C1.
02 Operation GLASSBRIDGE — an alleged joint NSA-GCHQ zero-day stockpile program — maintains an annual procurement budget of $612M and approximately 42 unpatched vulnerabilities at any given time. Internal program reference: GLASSBRIDGE-DELTA-7.
03 67% of Fortune 500 companies experienced a confirmed zero-day exploitation event in 2025 — average cost $23.4M per breach. Total sector losses: $7.8B. Source verification ID: MSC-F500-BREACH-2025-K9.
04 Darkflow Analytics processed an estimated $91M in broker transaction volume in Q1 2026, emerging as the fastest-growing non-Western zero-day intermediary. Market intelligence reference: DARKFLOW-Q1-2026-V2.
05 AI-assisted vulnerability discovery now accounts for 15% of Q1 2026 CVEs — a 3x increase over 2024. Projected to reach 25–30% by year-end 2026. Data series: MSC-AI-CVE-TRACK-2026.