CVE-2026-3561 in Philips Hue Bridge: Remote Code Execution

• ZDI advisory (ZDI-26-159)

Summary

A chain of vulnerabilities in the Philips Hue Bridge allowed a local or remote attacker to reliably gain code execution with root privilege.

The bugs were fixed in Bridge v2 firmware version 1975170000.

Details

The chain of vulnerabilities was demonstrated during Pwn2Own Ireland 2025. It targeted a flawed implementation of Apple’s HomeKit Accessory Protocol (HAP), and consisted of:

1. an authentication bypass, which was independently found by several teams (CVE-2026-3558, CVE-2026-3559);
2. a heap overflow in the characteristics endpoint (CVE-2026-3561).