{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3557", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2026-03-04T19:42:37.457Z", "datePublished": "2026-03-13T20:36:48.632Z", "dateUpdated": "2026-03-16T20:17:59.717Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-03-13T20:36:48.632Z"}, "title": "Philips Hue Bridge hap_pair_verify_handler Sub-TLV Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability", "descriptions": [{"lang": "en", "value": "Philips Hue Bridge hap_pair_verify_handler Sub-TLV Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the hap_pair_verify_handler function of the hk_hap service, which listens on TCP port 8080 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-28337."}], "affected": [{"vendor": "Philips", "product": "Hue Bridge", "versions": [{"version": "1.73.1973146020", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-155/", "name": "ZDI-26-155", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-04T19:42:37.503Z", "datePublic": "2026-03-06T21:19:15.836Z", "source": {"lang": "en", "value": "Viettel Cyber Security"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8, "baseSeverity": "HIGH"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T20:17:45.866601Z", "id": "CVE-2026-3557", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:17:59.717Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3557", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T20:17:45.866601Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:17:55.799Z"}}], "cna": {"title": "Philips Hue Bridge hap_pair_verify_handler Sub-TLV Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability", "source": {"lang": "en", "value": "Viettel Cyber Security"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "Philips", "product": "Hue Bridge", "versions": [{"status": "affected", "version": "1.73.1973146020"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-06T21:19:15.836Z", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-155/", "name": "ZDI-26-155", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-04T19:42:37.503Z", "descriptions": [{"lang": "en", "value": "Philips Hue Bridge hap_pair_verify_handler Sub-TLV Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the hap_pair_verify_handler function of the hk_hap service, which listens on TCP port 8080 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-28337."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-03-13T20:36:48.632Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3557", "state": "PUBLISHED", "dateUpdated": "2026-03-16T20:17:59.717Z", "dateReserved": "2026-03-04T19:42:37.457Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2026-03-13T20:36:48.632Z", "assignerShortName": "zdi"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:philips:hue_bridge_v2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C4C925A5-D9FB-482D-A98D-F879B1BD21EC", "versionEndExcluding": "1975170000", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:philips:hue_bridge_v2:-:*:*:*:*:*:*:*", "matchCriteriaId": "55B37D18-3A59-423E-9D73-F80DFDB14C4D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Philips Hue Bridge hap_pair_verify_handler Sub-TLV Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the hap_pair_verify_handler function of the hk_hap service, which listens on TCP port 8080 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-28337."}, {"lang": "es", "value": "Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo por desbordamiento de b\u00fafer basado en mont\u00edculo en el an\u00e1lisis de Sub-TLV de hap_pair_verify_handler de Philips Hue Bridge. Esta vulnerabilidad permite a atacantes adyacentes a la red ejecutar c\u00f3digo arbitrario en instalaciones afectadas de Philips Hue Bridge. Aunque se requiere autenticaci\u00f3n para explotar esta vulnerabilidad, el mecanismo de autenticaci\u00f3n existente puede ser eludido.\n\nLa falla espec\u00edfica existe dentro de la funci\u00f3n hap_pair_verify_handler del servicio hk_hap, que escucha en el puerto TCP 8080 por defecto. El problema resulta de la falta de validaci\u00f3n adecuada de la longitud de los datos proporcionados por el usuario antes de copiarlos a un b\u00fafer basado en mont\u00edculo. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto de root. Fue ZDI-CAN-28337."}], "id": "CVE-2026-3557", "lastModified": "2026-04-27T14:50:37.883", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:48.837", "references": [{"source": "zdi-disclosures@trendmicro.com", "tags": ["Third Party Advisory"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-155/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "zdi-disclosures@trendmicro.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.73.1973146020"}}], "enrichment": {"confidence": 97.0, "confidence_source": "matching", "scores": [{"score": 97.0, "source": "matching"}]}, "original": {"product": "Hue Bridge", "source": "cna", "vendor": "Philips"}, "product": "hue_bridge", "vendor": "phillips"}], "analysis": {"en": {"generated_at": "2026-03-17T00:06:48.477123+00:00", "value": {"mitigation_remediation": ["Verify whether Philips has released a firmware update that addresses the hap_pair_verify_handler overflow. If a patch is available, apply it to the Hue Bridge.", "If no update is available, restrict or block inbound traffic to TCP\u00a08080 from untrusted or remote networks using a firewall or router ACL to reduce the attack surface.", "Continuously monitor the bridge\u2019s network activity for unexpected or malformed Sub\u2011TLV packets and verify the authentication mechanism is functioning correctly after any changes."], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected systems are Philips Hue Bridge devices that run the hk_hap service on TCP\u00a08080 and include any firmware revision that implements the current hap_pair_verify_handler routine. No specific firmware release numbers are supplied in the CNA data; therefore any Bridge device using this implementation is potentially impacted until a vendor\u2011issued update addresses the overflow.", "description_and_impact": "The vulnerability is a heap\u2011based buffer overflow in the hap_pair_verify_handler routine of the hk_hap service, which listens on TCP port\u00a08080 in Philips Hue Bridge. An attacker sends a specially crafted Sub\u2011TLV payload that exceeds the expected length; the service copies the unvalidated data into a heap buffer without bounds checking, allowing arbitrary code execution in the context of the root user. The flaw is classified as CWE\u2011122, and the vendor authentication mechanism can be bypassed, so the existing access control is ineffective during exploitation.", "risk_and_exploitability": "The CVSS\u00a03.1 base score of 8.0 indicates high severity. EPSS is below 1\u202f%, and the vulnerability is not present in CISA\u2019s KEV catalog, suggesting limited current exploitation. The attack requires only local network adjacency and the ability to send packets to port\u00a08080; because the vulnerability can be triggered despite authentication, a single nearby device can launch the exploit. Successful exploitation results in full root control of the Bridge, enabling lateral movement or further compromise of the local network."}}}}, "created": "2026-03-16T09:23:49.099332+00:00", "updated": "2026-03-23T13:39:53.822904+00:00", "vendors": ["phillips", "phillips$PRODUCT$hue_bridge"]}