Skip to main content

Hue Bridge CVE-2026-3556

| EUVDEUVD-2026-12157 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-03-13 zdi
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 27, 2026 - 14:52 vuln.today
cvss_changed
EUVD ID Assigned
Mar 13, 2026 - 21:01 euvd
EUVD-2026-12157
Analysis Generated
Mar 13, 2026 - 21:01 vuln.today
CVE Published
Mar 13, 2026 - 20:36 nvd
HIGH 8.8

DescriptionCVE.org

Philips Hue Bridge HomeKit Pair-Setup Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the hk_hap_pair_storage_put function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the HomeKit service. Was ZDI-CAN-28326.

AnalysisAI

Critical heap-based buffer overflow vulnerability in Philips Hue Bridge's HomeKit implementation that allows network-adjacent attackers to execute arbitrary code without authentication. The vulnerability affects all versions of Philips Hue Bridge (CPE indicates no version restriction) and stems from improper input validation in the hk_hap_pair_storage_put function. No active exploitation (not in KEV) or EPSS score is reported, but the high CVSS score (8.8) and RCE capability make this a significant threat for local network attackers.

Technical ContextAI

This vulnerability occurs in the HomeKit Accessory Protocol (HAP) implementation on Philips Hue Bridge devices, specifically in the pair-setup process handled by the hk_hap_pair_storage_put function. The CWE-122 classification indicates a heap-based buffer overflow where user-supplied data is copied to a fixed-length heap buffer without proper bounds checking. Based on the CPE string (cpe:2.3:a:philips:hue_bridge:*:*:*:*:*:*:*:*), all versions of the Philips Hue Bridge software are affected. The vulnerability allows code execution in the context of the HomeKit service, which likely runs with elevated privileges to manage home automation functions.

RemediationAI

No patch information or vendor advisory is currently available based on the provided references. The only reference points to the ZDI advisory (https://www.zerodayinitiative.com/advisories/ZDI-26-154/), which typically indicates responsible disclosure but may not include patch details. Users should monitor Philips' security advisories for firmware updates. As a temporary mitigation, consider: 1) Isolating Philips Hue Bridge devices on a separate network segment, 2) Restricting network access to the device, 3) Disabling HomeKit integration if not required, 4) Implementing network-level access controls to limit who can reach the device on the local network.

Share

CVE-2026-3556 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy