Heap-based Buffer Overflow Vulnerability in Philips Hue Bridge
CVE-2026-3557

8HIGH

Key Information:

Vendor: Philips
Status: Hue Bridge
Vendor: CVE Published:; 13 March 2026

What is CVE-2026-3557?

This vulnerability impacts Philips Hue Bridge through the hap_pair_verify_handler function within the hk_hap service, which operates on TCP port 8080. It arises due to insufficient validation of user-supplied data length before it is copied into a heap-based buffer. As a result, network-adjacent attackers, after gaining authentication, can potentially bypass existing mechanisms and execute arbitrary code within the system, posing significant risks to users' smart home environments.

Affected Version(s)

Hue Bridge 1.73.1973146020

References

https://www.zerodayinitiative.com/advisories/ZDI-26-155/

x_research-advisory

CVSS V3.0

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-3557 Data

JSON