Philips Hue Bridge Zigbee Stack Flaw (CVE-2026-3555) Allows RCE via Malicious Light Bulb
A heap-based buffer overflow in the Philips Hue Bridge's Zigbee stack, disclosed at Pwn2Own, lets network-adjacent attackers execute arbitrary code by tricking a user into pairing a malicious device.
A critical vulnerability in the Philips Hue Bridge, the central hub for millions of smart lighting systems worldwide, could allow an attacker to take full control of the device simply by convincing a user to pair a new light bulb or sensor. The flaw, tracked as CVE-2026-3555 and carrying a CVSS 8.0, was disclosed by Trend Micro's Zero Day Initiative (ZDI) on March 6, 2026, after being demonstrated at the Pwn2Own hacking contest.
The vulnerability resides in the Bridge's handling of custom Zigbee Cluster Library (ZCL) frames during the Model Info download process. Zigbee is the wireless protocol used by Philips Hue and many other smart home devices to communicate. The specific bug is a heap-based buffer overflow: the Bridge does not properly validate the size of incoming data before copying it to a fixed-size heap buffer. An attacker can exploit this by sending a specially crafted Zigbee frame from a network-adjacent position — meaning within radio range of the target Bridge.
Crucially, exploitation requires user interaction. The attacker must induce the victim to initiate the device pairing process on their Hue system. This could be achieved through social engineering, such as convincing a user to add a new 'smart bulb' that is actually a malicious device controlled by the attacker. Once the pairing process begins, the malicious device sends the oversized ZCL frame, triggering the overflow and granting the attacker arbitrary code execution on the Bridge itself.
The impact is significant. The Philips Hue Bridge is the brain of the smart lighting ecosystem, controlling not just lights but also routines, sensors, and integrations with other smart home platforms. An attacker who gains code execution on the Bridge could potentially pivot to other devices on the home network, exfiltrate data, or use the Bridge as a persistent foothold for further attacks. The vulnerability was discovered and reported to Philips by researchers Mehdi Talbi, Matthieu Breuil, and Théo Gordyjan from Synacktiv, a French security firm known for its Pwn2Own successes.
Philips has released a fix. The vulnerability is addressed in Bridge v2 Software version 1975170000, which users can install via the Philips Hue app. The disclosure timeline shows the vulnerability was reported to Philips on November 18, 2025, with the coordinated public release occurring on March 6, 2026. Users are strongly advised to ensure their Hue Bridge is updated to the latest firmware to mitigate the risk.
This vulnerability highlights the growing attack surface of smart home devices. As IoT hubs like the Hue Bridge become more powerful and connected, they also become more attractive targets. The fact that this flaw was discovered and demonstrated at Pwn2Own, a contest that drives the discovery of high-impact zero-days, underscores the importance of rigorous security testing in consumer IoT products. For users, the key takeaway is to be cautious about pairing unknown devices and to keep firmware updated automatically.