Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Philips Hue Bridge HomeKit Pair-Setup Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the hk_hap_pair_storage_put function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the HomeKit service. Was ZDI-CAN-28326.
AnalysisAI
Critical heap-based buffer overflow vulnerability in Philips Hue Bridge's HomeKit implementation that allows network-adjacent attackers to execute arbitrary code without authentication. The vulnerability affects all versions of Philips Hue Bridge (CPE indicates no version restriction) and stems from improper input validation in the hk_hap_pair_storage_put function. No active exploitation (not in KEV) or EPSS score is reported, but the high CVSS score (8.8) and RCE capability make this a significant threat for local network attackers.
Technical ContextAI
This vulnerability occurs in the HomeKit Accessory Protocol (HAP) implementation on Philips Hue Bridge devices, specifically in the pair-setup process handled by the hk_hap_pair_storage_put function. The CWE-122 classification indicates a heap-based buffer overflow where user-supplied data is copied to a fixed-length heap buffer without proper bounds checking. Based on the CPE string (cpe:2.3:a:philips:hue_bridge:*:*:*:*:*:*:*:*), all versions of the Philips Hue Bridge software are affected. The vulnerability allows code execution in the context of the HomeKit service, which likely runs with elevated privileges to manage home automation functions.
RemediationAI
No patch information or vendor advisory is currently available based on the provided references. The only reference points to the ZDI advisory (https://www.zerodayinitiative.com/advisories/ZDI-26-154/), which typically indicates responsible disclosure but may not include patch details. Users should monitor Philips' security advisories for firmware updates. As a temporary mitigation, consider: 1) Isolating Philips Hue Bridge devices on a separate network segment, 2) Restricting network access to the device, 3) Disabling HomeKit integration if not required, 4) Implementing network-level access controls to limit who can reach the device on the local network.
More in Hue Bridge
View allHeap-based buffer overflow vulnerability in Philips Hue Bridge's HomeKit implementation that allows unauthenticated netw
CVE-2026-3559 is an authentication bypass vulnerability in Philips Hue Bridge devices affecting the HomeKit Accessory Pr
The Philips Hue Bridge HomeKit Accessory Protocol (HAP) service on TCP port 8080 lacks authentication in transient pairi
Heap-based buffer overflow vulnerability in Philips Hue Bridge devices that allows network-adjacent attackers with authe
Heap-based buffer overflow vulnerability in Philips Hue Bridge devices that allows network-adjacent attackers to execute
Heap-based buffer overflow vulnerability in the Philips Hue Bridge's Zigbee stack that allows network-adjacent attackers
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12157