CVE-2026-3561: Heap Buffer Overflow in Philips Hue Bridge Lets Network-Adjacent Attackers Execute Code
A heap-based buffer overflow in the Philips Hue Bridge (CVE-2026-3561) allows network-adjacent attackers to execute arbitrary code, with authentication bypass possible; the flaw was demonstrated at Pwn2Own and patched in firmware version 1975170000.
A critical vulnerability in the Philips Hue Bridge, tracked as CVE-2026-3561, exposes smart home users to remote code execution from network-adjacent attackers. The flaw, a heap-based buffer overflow in the device's handling of PUT requests to the HomeKit Accessory Protocol (HAP) characteristics endpoint, was disclosed by the Zero Day Initiative (ZDI) on March 6, 2026, after being demonstrated at the Pwn2Own hacking competition.
The vulnerability resides in the `hk_hap` characteristics handler. When the bridge processes a PUT request to this endpoint, it fails to properly validate the length of user-supplied data before copying it into a heap-based buffer. An attacker can craft a malicious request that overflows the buffer, corrupting adjacent memory and enabling arbitrary code execution in the context of the device. Although authentication is required, the ZDI advisory notes that the existing authentication mechanism can be bypassed, making exploitation more feasible for skilled adversaries.
Philips Hue Bridge v2 devices running software versions prior to 1975170000 are affected. The Hue Bridge is a central hub that connects Philips Hue smart lights and accessories to a home network, controlling them via the Zigbee protocol and bridging them to Wi-Fi for app and voice control. Millions of these devices are deployed in homes and small offices worldwide, making the vulnerability a significant concern for the Internet of Things (IoT) landscape.
The flaw was reported to Philips by the Thalium team from Thales Group on November 18, 2025. Philips released a fix in Bridge v2 Software version 1975170000, which users can obtain through the official Philips Hue app or by checking the release notes. The ZDI advisory credits the Thalium team for discovering and responsibly disclosing the vulnerability.
CVE-2026-3561 carries a CVSS score of 8.0 (High), with the vector AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating low attack complexity, no user interaction required, and full compromise of confidentiality, integrity, and availability. The attack vector is adjacent network, meaning the attacker must be on the same local network as the bridge, which is typical for many IoT exploits but still poses a serious risk in shared environments like apartment buildings or co-working spaces.
This disclosure follows a pattern of critical vulnerabilities found in smart home hubs, which often run stripped-down Linux systems with limited security hardening. The Pwn2Own demonstration underscores the value that researchers and attackers alike place on compromising central IoT controllers, as they provide a gateway to other devices on the network. Users are strongly advised to update their Hue Bridge firmware immediately and to ensure their home network is segmented to limit exposure of IoT devices.