{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3560", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2026-03-04T19:42:49.491Z", "datePublished": "2026-03-13T20:37:01.412Z", "dateUpdated": "2026-03-16T20:20:23.327Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-03-13T20:37:01.412Z"}, "title": "Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based Buffer Overflow Remote Code Execution Vulnerability", "descriptions": [{"lang": "en", "value": "Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the hk_hap_pair_storage_put function of the HomeKit implementation, which listens on TCP port 8080 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28469."}], "affected": [{"vendor": "Philips", "product": "Hue Bridge", "versions": [{"version": "1.73.1973146020", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-158/", "name": "ZDI-26-158", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-04T19:42:49.535Z", "datePublic": "2026-03-06T21:19:32.778Z", "source": {"lang": "en", "value": "Xilokar (@xilokar@mamot.fr)"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T20:20:11.397148Z", "id": "CVE-2026-3560", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:20:23.327Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3560", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T20:20:11.397148Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:20:18.566Z"}}], "cna": {"title": "Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based Buffer Overflow Remote Code Execution Vulnerability", "source": {"lang": "en", "value": "Xilokar (@xilokar@mamot.fr)"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "Philips", "product": "Hue Bridge", "versions": [{"status": "affected", "version": "1.73.1973146020"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-06T21:19:32.778Z", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-158/", "name": "ZDI-26-158", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-04T19:42:49.535Z", "descriptions": [{"lang": "en", "value": "Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the hk_hap_pair_storage_put function of the HomeKit implementation, which listens on TCP port 8080 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28469."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-03-13T20:37:01.412Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3560", "state": "PUBLISHED", "dateUpdated": "2026-03-16T20:20:23.327Z", "dateReserved": "2026-03-04T19:42:49.491Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2026-03-13T20:37:01.412Z", "assignerShortName": "zdi"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:philips:hue_bridge_v2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C4C925A5-D9FB-482D-A98D-F879B1BD21EC", "versionEndExcluding": "1975170000", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:philips:hue_bridge_v2:-:*:*:*:*:*:*:*", "matchCriteriaId": "55B37D18-3A59-423E-9D73-F80DFDB14C4D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the hk_hap_pair_storage_put function of the HomeKit implementation, which listens on TCP port 8080 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28469."}, {"lang": "es", "value": "Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo por desbordamiento de b\u00fafer basado en mont\u00edculo hk_hap_pair_storage_put de HomeKit en Philips Hue Bridge. Esta vulnerabilidad permite a atacantes adyacentes a la red ejecutar c\u00f3digo arbitrario en instalaciones afectadas de Philips Hue Bridge. La autenticaci\u00f3n no es necesaria para explotar esta vulnerabilidad.\n\nLa falla espec\u00edfica existe dentro de la funci\u00f3n hk_hap_pair_storage_put de la implementaci\u00f3n de HomeKit, que escucha en el puerto TCP 8080 por defecto. El problema resulta de la falta de validaci\u00f3n adecuada de la longitud de los datos proporcionados por el usuario antes de copiarlos a un b\u00fafer basado en mont\u00edculo. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del dispositivo. Fue ZDI-CAN-28469."}], "id": "CVE-2026-3560", "lastModified": "2026-04-27T14:30:43.610", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:52.050", "references": [{"source": "zdi-disclosures@trendmicro.com", "tags": ["Third Party Advisory"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-158/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "zdi-disclosures@trendmicro.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.73.1973146020"}}], "enrichment": {"confidence": 97.0, "confidence_source": "matching", "scores": [{"score": 97.0, "source": "matching"}]}, "original": {"product": "Hue Bridge", "source": "cna", "vendor": "Philips"}, "product": "hue_bridge", "vendor": "phillips"}], "analysis": {"en": {"generated_at": "2026-03-16T23:06:35.798075+00:00", "value": {"mitigation_remediation": ["Check for and install the latest Philips Hue Bridge firmware update that addresses the heap-based buffer overflow.", "If no update is available, restrict network access to port 8080 by configuring your router or firewall to block incoming connections to the Hue Bridge from untrusted networks.", "Segment the local network to isolate the Hue Bridge from devices that are not trusted or are not part of the home automation ecosystem.", "Monitor the device for unexpected network activity or anomalous log entries that could indicate exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affects Philips Hue Bridge installations utilizing the HomeKit hk_hap_pair_storage_put endpoint. No specific vendor-released version numbers were disclosed in the advisory; therefore any firmware that implements this function is potentially vulnerable. Users should consult the Philips Hue Bridge firmware changelog or support page for confirmation.", "description_and_impact": "This vulnerability in Philips Hue Bridge's HomeKit implementation, specifically the hk_hap_pair_storage_put function, permits a heap-based buffer overflow that leads to remote code execution. The flaw arises because the function, which listens on TCP port 8080 by default, fails to validate the length of user-supplied data before copying it into a heap buffer. Attackers with network proximity can send malformed data to exploit the overflow and execute arbitrary code within the device's context. The weakness is identified as CWE-122.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Because the vulnerable service listens on port 8080 and requires no authentication, any device on the same local network can create an attack vector. If successfully triggered, the heap overflow would give the attacker full control over the device."}}}}, "created": "2026-03-16T09:23:44.477930+00:00", "updated": "2026-03-23T13:39:50.256868+00:00", "vendors": ["phillips", "phillips$PRODUCT$hue_bridge"]}