Sign-up

ID

VAR-202603-0912


CVE

CVE-2026-3561


TITLE

(Pwn2Own) Philips Hue Bridge hk_hap characteristics Heap-based Buffer Overflow Remote Code Execution Vulnerability

Trust: 0.7

sources: ZDI: ZDI-26-159

DESCRIPTION

Philips Hue Bridge hk_hap characteristics Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of PUT requests to the characteristics endpoint. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28479

Trust: 1.53

sources: NVD: CVE-2026-3561 // ZDI: ZDI-26-159

AFFECTED PRODUCTS

vendor:philipsmodel:hue bridgescope: - version: -

Trust: 0.7

sources: ZDI: ZDI-26-159

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com: CVE-2026-3561
value: HIGH

Trust: 1.0

ZDI: CVE-2026-3561
value: HIGH

Trust: 0.7

zdi-disclosures@trendmicro.com: CVE-2026-3561
baseSeverity: HIGH
baseScore: 8.0
vectorString: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.1
impactScore: 5.9
version: 3.0

Trust: 1.0

ZDI: CVE-2026-3561
baseSeverity: HIGH
baseScore: 8.0
vectorString: AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.1
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-26-159 // NVD: CVE-2026-3561

PROBLEMTYPE DATA

problemtype:CWE-122

Trust: 1.0

sources: NVD: CVE-2026-3561

PATCH

title:Fixed in Bridge v2 Software version 1975170000url:https://www.philips-hue.com/en-ca/support/release-notes/bridge

Trust: 0.7

sources: ZDI: ZDI-26-159

EXTERNAL IDS

db:NVDid:CVE-2026-3561

Trust: 1.7

db:ZDIid:ZDI-26-159

Trust: 1.7

db:ZDI_CANid:ZDI-CAN-28479

Trust: 0.7

sources: ZDI: ZDI-26-159 // NVD: CVE-2026-3561

REFERENCES

url:https://www.zerodayinitiative.com/advisories/zdi-26-159/

Trust: 1.0

url:https://www.philips-hue.com/en-ca/support/release-notes/bridge

Trust: 0.7

sources: ZDI: ZDI-26-159 // NVD: CVE-2026-3561

CREDITS

Thalium team from Thales Group (@thalium_team)

Trust: 0.7

sources: ZDI: ZDI-26-159

SOURCES

db:ZDIid:ZDI-26-159
db:NVDid:CVE-2026-3561

LAST UPDATE DATE

2026-03-16T23:56:12.317000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-26-159date:2026-03-06T00:00:00
db:NVDid:CVE-2026-3561date:2026-03-16T14:53:07.390

SOURCES RELEASE DATE

db:ZDIid:ZDI-26-159date:2026-03-06T00:00:00
db:NVDid:CVE-2026-3561date:2026-03-16T14:19:52.197