Skip to main content

Hue Bridge CVE-2026-3560

| EUVDEUVD-2026-12161 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-03-13 zdi
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 27, 2026 - 14:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 13, 2026 - 21:01 euvd
EUVD-2026-12161
Analysis Generated
Mar 13, 2026 - 21:01 vuln.today
CVE Published
Mar 13, 2026 - 20:37 nvd
HIGH 8.8

DescriptionCVE.org

Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the hk_hap_pair_storage_put function of the HomeKit implementation, which listens on TCP port 8080 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28469.

AnalysisAI

Heap-based buffer overflow vulnerability in Philips Hue Bridge's HomeKit implementation that allows unauthenticated network-adjacent attackers to execute arbitrary code. The vulnerability affects all versions of Philips Hue Bridge (CPE indicates no version restrictions) through the hk_hap_pair_storage_put function on TCP port 8080. No EPSS data or KEV listing is available, and while ZDI has published an advisory, no public POC or active exploitation has been reported.

Technical ContextAI

The vulnerability exists in the HomeKit Accessory Protocol (HAP) implementation within Philips Hue Bridge devices (cpe:2.3:a:philips:hue_bridge:*:*:*:*:*:*:*:*). HomeKit is Apple's smart home framework, and the Hue Bridge integrates with it via TCP port 8080. The flaw is a classic heap buffer overflow (CWE-122) where the hk_hap_pair_storage_put function fails to validate the length of user-supplied data before copying it to a heap buffer. This allows attackers to overwrite adjacent memory structures and potentially hijack program execution flow.

RemediationAI

No patch information or vendor advisory is currently available beyond the ZDI advisory (ZDI-26-158). As immediate mitigation, network segmentation should be implemented to isolate Hue Bridge devices from untrusted network segments. Consider disabling HomeKit integration if not required, or implement firewall rules to restrict access to TCP port 8080 to trusted devices only. Monitor Philips/Signify security advisories for firmware updates addressing this vulnerability.

Share

CVE-2026-3560 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy