ID
VAR-202603-0936
CVE
CVE-2026-3560
TITLE
(Pwn2Own) Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based Buffer Overflow Remote Code Execution Vulnerability
Trust: 0.7
DESCRIPTION
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability.The specific flaw exists within the hk_hap_pair_storage_put function of the HomeKit implementation, which listens on TCP port 8080 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device.
Trust: 0.7
AFFECTED PRODUCTS
| vendor: | philips | model: | hue bridge | scope: | - | version: | - | Trust: 0.7 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||
|
|
PATCH
| title: | Fixed in Bridge v2 Software version 1975170000 | url: | https://www.philips-hue.com/en-ca/support/release-notes/bridge | Trust: 0.7 |
EXTERNAL IDS
| db: | ZDI_CAN | id: | ZDI-CAN-28469 | Trust: 0.7 |
| db: | NVD | id: | CVE-2026-3560 | Trust: 0.7 |
| db: | ZDI | id: | ZDI-26-158 | Trust: 0.7 |
REFERENCES
| url: | https://www.philips-hue.com/en-ca/support/release-notes/bridge | Trust: 0.7 |
CREDITS
Xilokar (@xilokar@mamot.fr)
Trust: 0.7
SOURCES
| db: | ZDI | id: | ZDI-26-158 |
LAST UPDATE DATE
2026-03-09T23:47:24.755000+00:00
SOURCES UPDATE DATE
| db: | ZDI | id: | ZDI-26-158 | date: | 2026-03-06T00:00:00 |
SOURCES RELEASE DATE
| db: | ZDI | id: | ZDI-26-158 | date: | 2026-03-06T00:00:00 |