Skip to main content

Hue Bridge EUVDEUVD-2026-12162

| CVE-2026-3561 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-03-13 zdi
8.0
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.0 HIGH
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 27, 2026 - 14:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 13, 2026 - 21:01 euvd
EUVD-2026-12162
Analysis Generated
Mar 13, 2026 - 21:01 vuln.today
CVE Published
Mar 13, 2026 - 20:37 nvd
HIGH 8.0

DescriptionCVE.org

Philips Hue Bridge hk_hap characteristics Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

The specific flaw exists within the handling of PUT requests to the characteristics endpoint. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28479.

AnalysisAI

Heap-based buffer overflow vulnerability in Philips Hue Bridge devices that allows network-adjacent attackers to execute arbitrary code through malformed PUT requests to the HomeKit Accessory Protocol (HAP) characteristics endpoint. While authentication is normally required, the advisory notes the authentication mechanism can be bypassed, effectively allowing unauthenticated remote code execution. No EPSS score or KEV listing is available, suggesting this is not currently being exploited in the wild.

Technical ContextAI

The vulnerability affects Philips Hue Bridge devices (CPE: cpe:2.3:a:philips:hue_bridge:*:*:*:*:*:*:*:*) in their HomeKit Accessory Protocol (HAP) implementation, specifically the 'hk_hap characteristics' handling. This is a classic heap buffer overflow (CWE-122) where the application fails to properly validate the length of user-supplied data before copying it to a heap-allocated buffer during PUT request processing. The HomeKit HAP protocol is used for Apple HomeKit integration, allowing iOS devices to control smart home accessories.

RemediationAI

No specific patch information or fixed versions are available in the provided references. The ZDI advisory link (https://www.zerodayinitiative.com/advisories/ZDI-26-159/) should be consulted for potential updates. Recommended mitigations include: (1) Ensure Hue Bridge devices are not accessible from untrusted networks, (2) Implement network segmentation to isolate IoT devices, (3) Monitor for firmware updates from Philips, (4) Consider disabling HomeKit integration if not required until a patch is available.

Share

EUVD-2026-12162 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy