Philips Hue Bridge HomeKit Flaw (CVE-2026-3560) Allows Remote Code Execution via Heap Overflow
A critical heap-based buffer overflow in the Philips Hue Bridge's HomeKit implementation, disclosed at Pwn2Own, allows network-adjacent attackers to execute arbitrary code without authentication.
Philips has released a firmware update to address CVE-2026-3560, a critical heap-based buffer overflow vulnerability in the Hue Bridge's HomeKit implementation. The flaw, which carries a CVSS score of 8.8, was demonstrated at the Pwn2Own hacking competition and could allow network-adjacent attackers to execute arbitrary code on affected devices without any authentication.
The vulnerability resides in the `hk_hap_pair_storage_put` function of the HomeKit service, which listens on TCP port 8080 by default. The issue stems from the lack of proper validation of the length of user-supplied data before copying it to a heap-based buffer. An attacker who can send specially crafted packets to the bridge can trigger a heap overflow, potentially gaining full control of the device.
Philips Hue Bridge devices are widely deployed in smart home environments, often connected to corporate or residential networks. Because the attack requires only network adjacency — meaning the attacker must be on the same local network or within Wi-Fi range — the risk is particularly acute for users who have not segmented their IoT devices from critical systems. The vulnerability does not require any user interaction or credentials to exploit.
The flaw was reported to Philips by researcher Xilokar on November 18, 2025, and the coordinated disclosure was published on March 6, 2026. Philips has fixed the issue in Bridge v2 Software version 1975170000, which is available through the Philips Hue app's release notes. Users are strongly advised to update their bridges immediately.
This disclosure comes amid a broader trend of vulnerabilities being uncovered in smart home hubs and IoT devices, which often run on embedded Linux systems with limited security hardening. The Pwn2Own contest has repeatedly highlighted such devices as attractive targets, given their persistent network connectivity and the difficulty of applying patches in consumer environments.
Organizations and individuals using Philips Hue Bridges should ensure automatic updates are enabled and verify that their bridge firmware is at version 1975170000 or later. As a defense-in-depth measure, network administrators should also consider isolating IoT devices on a separate VLAN to limit the blast radius of any potential compromise.