CVE-2026-3557: Philips Hue Bridge V2 Firmware RCE Flaw

CVE-2026-3557 Overview

CVE-2026-3557 is a heap-based buffer overflow vulnerability in the Philips Hue Bridge V2 that allows network-adjacent attackers to execute arbitrary code as root. The flaw resides in the hap_pair_verify_handler function of the hk_hap service, which listens on TCP port 8080 by default. The service fails to validate the length of user-supplied sub-TLV data before copying it into a heap-based buffer. Although the endpoint requires authentication, the existing authentication mechanism can be bypassed, lowering the practical barrier to exploitation. The issue is tracked under Zero Day Initiative advisory ZDI-26-155 and was internally identified as ZDI-CAN-28337.

Critical Impact

A network-adjacent attacker who bypasses authentication can corrupt heap memory in the hk_hap service and execute arbitrary code with root privileges on the affected Hue Bridge.

Affected Products

• Philips Hue Bridge V2
• Philips Hue Bridge V2 Firmware
• Devices exposing the hk_hap HomeKit Accessory Protocol service on TCP port 8080

Discovery Timeline

• 2026-03-16 - CVE-2026-3557 published to the National Vulnerability Database
• 2026-04-27 - Last updated in NVD database

Technical Details for CVE-2026-3557

Vulnerability Analysis

The vulnerability exists in the hap_pair_verify_handler function within the hk_hap service. This service implements the HomeKit Accessory Protocol pairing flow and accepts Type-Length-Value (TLV) encoded messages over TCP port 8080. During processing of the pair-verify exchange, the handler parses nested sub-TLV fields supplied by the client. The handler copies sub-TLV payload bytes into a fixed-size heap buffer without verifying that the declared length fits the destination allocation, classified under [CWE-122] Heap-based Buffer Overflow.

Successful exploitation overwrites adjacent heap metadata and application data structures. An attacker can use this primitive to hijack control flow inside the hk_hap process. Because the service runs as root on the bridge, code execution occurs with full system privileges. The bridge has no shell-level user separation, so root code execution grants persistent control over the device and any Zigbee-connected lighting and sensor ecosystem behind it.

Root Cause

The root cause is missing bounds validation on the length field of attacker-controlled sub-TLV records before invoking a memory copy into a heap allocation. The handler trusts the length value embedded in the TLV stream and uses it directly as the copy size. Authentication on the pair-verify endpoint is enforceable but the existing mechanism can be bypassed, allowing an unauthenticated attacker on the same network segment to reach the vulnerable parser.

Attack Vector

Exploitation requires adjacent network access, meaning the attacker must reside on the same Wi-Fi or Ethernet broadcast domain as the Hue Bridge. The attacker connects to TCP port 8080, completes or bypasses the HomeKit pair-verify handshake, and submits a crafted TLV payload containing an oversized sub-TLV. The malformed length triggers the overflow inside hap_pair_verify_handler, allowing a tailored payload to corrupt heap structures and achieve remote code execution as root.

No public proof-of-concept code is available. See the Zero Day Initiative Advisory ZDI-26-155 for additional technical context.

Detection Methods for CVE-2026-3557

Indicators of Compromise

• Unexpected inbound TCP connections to port 8080 of the Hue Bridge from devices that are not registered HomeKit controllers.
• Crashes, restarts, or watchdog resets of the hk_hap service recorded in bridge logs or observable as repeated mDNS re-announcements.
• Outbound connections from the Hue Bridge to unknown internet hosts, indicating possible post-exploitation callback.
• New or modified Zigbee device pairings that do not correlate with user activity.

Detection Strategies

• Monitor LAN traffic for malformed HomeKit Accessory Protocol pair-verify TLV messages, particularly sub-TLV records with length fields exceeding expected ranges.
• Baseline normal pairing behavior of the Hue Bridge and alert on repeated failed pair-verify attempts originating from a single host.
• Inspect DHCP and ARP tables for unauthorized devices on segments that host IoT controllers.

Monitoring Recommendations

• Place IoT devices on a dedicated VLAN and log all flows crossing the segment boundary.
• Forward router and firewall logs covering the IoT VLAN to a centralized SIEM for correlation with endpoint telemetry.
• Track firmware versions of Hue Bridges through asset inventory tooling to confirm patched builds are deployed.

How to Mitigate CVE-2026-3557

Immediate Actions Required

• Update affected Philips Hue Bridge V2 devices to the latest firmware released by Signify through the Hue mobile application.
• Restrict network access to TCP port 8080 on the bridge to known HomeKit controllers using firewall or VLAN access control lists.
• Disable remote administrative access and ensure the bridge is not exposed to untrusted Wi-Fi networks or the public internet.
• Audit paired HomeKit and third-party controllers and remove any that are not recognized.

Patch Information

Refer to the Zero Day Initiative Advisory ZDI-26-155 and Signify's Philips Hue security bulletin channel for the specific firmware version that remediates the hap_pair_verify_handler length validation. The Hue Bridge applies firmware updates automatically when connected to the internet through the Hue cloud service, so verify that automatic updates are enabled and confirm the running firmware version in the Hue app under bridge settings.

Workarounds

• Isolate the Hue Bridge on a segmented IoT VLAN that blocks lateral traffic from untrusted clients and guest Wi-Fi networks.
• Block inbound connections to TCP port 8080 from any host that is not an authorized HomeKit controller.
• Power down or disconnect bridges that cannot be updated until a fixed firmware version is installed.

# Example firewall rule restricting access to the Hue Bridge HomeKit port
# Replace 192.0.2.10 with the Hue Bridge IP and 192.0.2.20 with the trusted controller
iptables -A FORWARD -p tcp -d 192.0.2.10 --dport 8080 -s 192.0.2.20 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.0.2.10 --dport 8080 -j DROP