Severity by source
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Philips Hue Bridge hk_hap characteristics Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the handling of PUT requests to the characteristics endpoint. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28479.
AnalysisAI
Heap-based buffer overflow vulnerability in Philips Hue Bridge devices that allows network-adjacent attackers to execute arbitrary code through malformed PUT requests to the HomeKit Accessory Protocol (HAP) characteristics endpoint. While authentication is normally required, the advisory notes the authentication mechanism can be bypassed, effectively allowing unauthenticated remote code execution. No EPSS score or KEV listing is available, suggesting this is not currently being exploited in the wild.
Technical ContextAI
The vulnerability affects Philips Hue Bridge devices (CPE: cpe:2.3:a:philips:hue_bridge:*:*:*:*:*:*:*:*) in their HomeKit Accessory Protocol (HAP) implementation, specifically the 'hk_hap characteristics' handling. This is a classic heap buffer overflow (CWE-122) where the application fails to properly validate the length of user-supplied data before copying it to a heap-allocated buffer during PUT request processing. The HomeKit HAP protocol is used for Apple HomeKit integration, allowing iOS devices to control smart home accessories.
RemediationAI
No specific patch information or fixed versions are available in the provided references. The ZDI advisory link (https://www.zerodayinitiative.com/advisories/ZDI-26-159/) should be consulted for potential updates. Recommended mitigations include: (1) Ensure Hue Bridge devices are not accessible from untrusted networks, (2) Implement network segmentation to isolate IoT devices, (3) Monitor for firmware updates from Philips, (4) Consider disabling HomeKit integration if not required until a patch is available.
More in Hue Bridge
View allHeap-based buffer overflow vulnerability in Philips Hue Bridge's HomeKit implementation that allows unauthenticated netw
Critical heap-based buffer overflow vulnerability in Philips Hue Bridge's HomeKit implementation that allows network-adj
CVE-2026-3559 is an authentication bypass vulnerability in Philips Hue Bridge devices affecting the HomeKit Accessory Pr
The Philips Hue Bridge HomeKit Accessory Protocol (HAP) service on TCP port 8080 lacks authentication in transient pairi
Heap-based buffer overflow vulnerability in Philips Hue Bridge devices that allows network-adjacent attackers with authe
Heap-based buffer overflow vulnerability in the Philips Hue Bridge's Zigbee stack that allows network-adjacent attackers
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12162