Philips Hue Bridge HomeKit Flaw (CVE-2026-3556) Allows Remote Code Execution via Heap Overflow
A heap-based buffer overflow in the Philips Hue Bridge's HomeKit Pair-Setup functionality, disclosed at Pwn2Own, allows unauthenticated network-adjacent attackers to execute arbitrary code.
A critical vulnerability in the Philips Hue Bridge, designated CVE-2026-3556, was disclosed on March 6, 2026, by the Zero Day Initiative (ZDI) as part of the Pwn2Own hacking contest. The flaw is a heap-based buffer overflow in the HomeKit Pair-Setup functionality, specifically within the `hk_hap_pair_storage_put` function. This vulnerability allows unauthenticated attackers on the same network to execute arbitrary code on affected Hue Bridge devices, potentially compromising smart home ecosystems.
The vulnerability, assigned a CVSS score of 8.8, stems from improper validation of user-supplied data length before copying it to a fixed-length heap-based buffer. An attacker can leverage this to overwrite adjacent heap memory and achieve code execution in the context of the HomeKit service. Because no authentication is required, any device on the local network can trigger the exploit, making it particularly dangerous for home and enterprise environments where Hue Bridges are deployed.
Philips has released a fix in Bridge v2 Software version 1975170000, which users can apply through the official Philips Hue release notes. The vulnerability was reported to Philips by InnoEdge Labs on November 18, 2025, and the coordinated disclosure was published on March 6, 2026. Users are strongly advised to update their Hue Bridge firmware immediately to mitigate the risk.
The disclosure timeline indicates that the vulnerability was responsibly reported and patched within approximately four months. However, the public release of the advisory means that exploit details are now available, increasing the likelihood of in-the-wild attacks. Given the popularity of Philips Hue smart lighting systems, the potential impact spans millions of households and commercial installations.
This vulnerability highlights the growing attack surface of Internet of Things (IoT) devices, particularly those that integrate with smart home platforms like Apple HomeKit. As smart home adoption increases, so does the need for rigorous security testing and rapid patch deployment. The inclusion of this flaw in Pwn2Own underscores the value that the security research community places on IoT security.
Philips has not reported any active exploitation of CVE-2026-3556 as of the advisory date. However, users should remain vigilant and ensure that their Hue Bridges are not exposed to untrusted networks. Network segmentation and regular firmware updates remain the best defenses against such vulnerabilities.