Cyber Resilience

CVE-2026-3556

High

Published: 16 March 2026

Published
16 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3 8.8 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0051 39.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3556 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Philips Hue Bridge V2 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Philips Hue Bridge HomeKit Pair-Setup Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists…

more

within the hk_hap_pair_storage_put function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the HomeKit service. Was ZDI-CAN-28326.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Direct remote code execution via unauthenticated heap buffer overflow in exposed HomeKit pairing service enables exploitation of remote services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3560Same product: Philips Hue Bridge V2
CVE-2026-3562Same product: Philips Hue Bridge V2
CVE-2026-3559Same product: Philips Hue Bridge V2
CVE-2026-3558Same product: Philips Hue Bridge V2
CVE-2025-49676Shared CWE-122
CVE-2025-21306Shared CWE-122
CVE-2023-50739Shared CWE-122
CVE-2025-49757Shared CWE-122
CVE-2025-21223Shared CWE-122
CVE-2025-21236Shared CWE-122

Affected Assets

philips
hue bridge v2 firmware
≤ 1975170000

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References