Description
Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the hk_hap_pair_storage_put function of the HomeKit implementation, which listens on TCP port 8080 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28469.
Published: 2026-03-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability in Philips Hue Bridge's HomeKit implementation, specifically the hk_hap_pair_storage_put function, permits a heap-based buffer overflow that leads to remote code execution. The flaw arises because the function, which listens on TCP port 8080 by default, fails to validate the length of user-supplied data before copying it into a heap buffer. Attackers with network proximity can send malformed data to exploit the overflow and execute arbitrary code within the device's context. The weakness is identified as CWE-122.

Affected Systems

Affects Philips Hue Bridge installations utilizing the HomeKit hk_hap_pair_storage_put endpoint. No specific vendor-released version numbers were disclosed in the advisory; therefore any firmware that implements this function is potentially vulnerable. Users should consult the Philips Hue Bridge firmware changelog or support page for confirmation.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Because the vulnerable service listens on port 8080 and requires no authentication, any device on the same local network can create an attack vector. If successfully triggered, the heap overflow would give the attacker full control over the device.

Generated by OpenCVE AI on March 16, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install the latest Philips Hue Bridge firmware update that addresses the heap-based buffer overflow.
  • If no update is available, restrict network access to port 8080 by configuring your router or firewall to block incoming connections to the Hue Bridge from untrusted networks.
  • Segment the local network to isolate the Hue Bridge from devices that are not trusted or are not part of the home automation ecosystem.
  • Monitor the device for unexpected network activity or anomalous log entries that could indicate exploitation attempts.

Generated by OpenCVE AI on March 16, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Phillips
Phillips hue Bridge
Vendors & Products Phillips
Phillips hue Bridge

Fri, 13 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the hk_hap_pair_storage_put function of the HomeKit implementation, which listens on TCP port 8080 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28469.
Title Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based Buffer Overflow Remote Code Execution Vulnerability
Weaknesses CWE-122
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Phillips Hue Bridge
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-03-16T20:20:23.327Z

Reserved: 2026-03-04T19:42:49.491Z

Link: CVE-2026-3560

cve-icon Vulnrichment

Updated: 2026-03-16T20:20:18.566Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:19:52.050

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-3560

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:50Z

Weaknesses