CVE-2026-3557: Heap Buffer Overflow in Philips Hue Bridge Lets Network-Adjacent Attackers Execute Code as Root
A heap-based buffer overflow in the Philips Hue Bridge's hap_pair_verify_handler function, disclosed via Pwn2Own, allows network-adjacent attackers to bypass authentication and execute arbitrary code as root.
A critical vulnerability in the Philips Hue Bridge, tracked as CVE-2026-3557, exposes smart home users to remote code execution attacks from within Wi-Fi range. The flaw, reported through the Pwn2Own hacking contest by Viettel Cyber Security, resides in the hap_pair_verify_handler function of the hk_hap service, which listens on TCP port 8080 by default.
The vulnerability is a heap-based buffer overflow caused by improper validation of user-supplied data length before copying it to a heap buffer. An attacker who is network-adjacent—meaning they are on the same local network or within Wi-Fi range—can exploit this flaw to execute arbitrary code with root privileges. Critically, while authentication is required, the advisory notes that the existing authentication mechanism can be bypassed, lowering the barrier to exploitation.
The Philips Hue Bridge is a central hub that connects smart lighting and other IoT devices to home networks. With millions of units deployed worldwide, the vulnerability poses a significant risk to residential and commercial environments where Hue systems are used. An attacker who gains root access could pivot to other devices on the network, install persistent malware, or compromise smart home functionality.
Philips has released a fix in Bridge v2 Software version 1975170000. Users are urged to update their Hue Bridge firmware immediately through the Philips Hue app or by checking the release notes on the official support page. The advisory notes that the vulnerability was reported on November 18, 2025, and publicly disclosed on March 6, 2026, following coordinated disclosure.
The CVSS score for CVE-2026-3557 is 8.0, with a vector of AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability. The attack complexity is low, and no user interaction is required beyond the initial authentication bypass.
This disclosure is part of a broader trend of vulnerabilities in IoT hubs and smart home devices, which often run on embedded Linux systems with limited security hardening. The Pwn2Own contest has repeatedly highlighted such devices as attractive targets, with researchers earning significant bounties for responsibly disclosing flaws. Users should ensure their Hue Bridges are updated and consider segmenting IoT devices on a separate VLAN to limit the blast radius of potential compromises.