Philips Hue Bridge HomeKit Pair-Setup Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the hk_hap_pair_storage_put function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the HomeKit service. Was ZDI-CAN-28326.
References
| Link | Resource |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-26-154/ | Third Party Advisory |
Configurations
Configuration 1 (hide)
| AND |
|
History
27 Apr 2026, 14:49
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://www.zerodayinitiative.com/advisories/ZDI-26-154/ - Third Party Advisory | |
| Summary |
|
|
| CPE | cpe:2.3:h:philips:hue_bridge_v2:-:*:*:*:*:*:*:* cpe:2.3:o:philips:hue_bridge_v2_firmware:*:*:*:*:*:*:*:* |
|
| First Time |
Philips hue Bridge V2
Philips Philips hue Bridge V2 Firmware |
16 Mar 2026, 14:19
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-03-16 14:19
Updated : 2026-06-17 10:43
NVD link : CVE-2026-3556
Mitre link : CVE-2026-3556
CVE.ORG link : CVE-2026-3556
JSON object : View
Products Affected
philips
- hue_bridge_v2_firmware
- hue_bridge_v2
CWE
CWE-122
Heap-based Buffer Overflow
