EUVD-2026-12157CVSS Vector
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
Philips Hue Bridge HomeKit Pair-Setup Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the hk_hap_pair_storage_put function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the HomeKit service. Was ZDI-CAN-28326.
Analysis
Critical heap-based buffer overflow vulnerability in Philips Hue Bridge's HomeKit implementation that allows network-adjacent attackers to execute arbitrary code without authentication. The vulnerability affects all versions of Philips Hue Bridge (CPE indicates no version restriction) and stems from improper input validation in the hk_hap_pair_storage_put function. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify and inventory all Philips Hue Bridge devices across the organization and assess their network placement. Within 7 days: Implement network segmentation to isolate Hue Bridge devices on a dedicated VLAN with restricted access controls, and disable HomeKit functionality if not business-critical. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today