Description
Philips Hue Bridge hap_pair_verify_handler Sub-TLV Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

The specific flaw exists within the hap_pair_verify_handler function of the hk_hap service, which listens on TCP port 8080 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-28337.
Published: 2026-03-13
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

The vulnerability is a heap‑based buffer overflow in the hap_pair_verify_handler routine of the hk_hap service, which listens on TCP port 8080 in Philips Hue Bridge. An attacker sends a specially crafted Sub‑TLV payload that exceeds the expected length; the service copies the unvalidated data into a heap buffer without bounds checking, allowing arbitrary code execution in the context of the root user. The flaw is classified as CWE‑122, and the vendor authentication mechanism can be bypassed, so the existing access control is ineffective during exploitation.

Affected Systems

Affected systems are Philips Hue Bridge devices that run the hk_hap service on TCP 8080 and include any firmware revision that implements the current hap_pair_verify_handler routine. No specific firmware release numbers are supplied in the CNA data; therefore any Bridge device using this implementation is potentially impacted until a vendor‑issued update addresses the overflow.

Risk and Exploitability

The CVSS 3.1 base score of 8.0 indicates high severity. EPSS is below 1 %, and the vulnerability is not present in CISA’s KEV catalog, suggesting limited current exploitation. The attack requires only local network adjacency and the ability to send packets to port 8080; because the vulnerability can be triggered despite authentication, a single nearby device can launch the exploit. Successful exploitation results in full root control of the Bridge, enabling lateral movement or further compromise of the local network.

Generated by OpenCVE AI on March 17, 2026 at 00:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether Philips has released a firmware update that addresses the hap_pair_verify_handler overflow. If a patch is available, apply it to the Hue Bridge.
  • If no update is available, restrict or block inbound traffic to TCP 8080 from untrusted or remote networks using a firewall or router ACL to reduce the attack surface.
  • Continuously monitor the bridge’s network activity for unexpected or malformed Sub‑TLV packets and verify the authentication mechanism is functioning correctly after any changes.

Generated by OpenCVE AI on March 17, 2026 at 00:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Phillips
Phillips hue Bridge
Vendors & Products Phillips
Phillips hue Bridge

Fri, 13 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description Philips Hue Bridge hap_pair_verify_handler Sub-TLV Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the hap_pair_verify_handler function of the hk_hap service, which listens on TCP port 8080 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-28337.
Title Philips Hue Bridge hap_pair_verify_handler Sub-TLV Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
Weaknesses CWE-122
References
Metrics cvssV3_0

{'score': 8, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Phillips Hue Bridge
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-03-16T20:17:59.717Z

Reserved: 2026-03-04T19:42:37.457Z

Link: CVE-2026-3557

cve-icon Vulnrichment

Updated: 2026-03-16T20:17:55.799Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:19:48.837

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-3557

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:53Z

Weaknesses