Cyber Resilience

CVE-2026-3560

High

Published: 16 March 2026

Published
16 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3 8.8 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0049 38.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3560 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Philips Hue Bridge V2 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists…

more

within the hk_hap_pair_storage_put function of the HomeKit implementation, which listens on TCP port 8080 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28469.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Heap buffer overflow in network-exposed HomeKit service (TCP 8080) directly enables unauthenticated remote code execution on a public-facing device.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3559Same product: Philips Hue Bridge V2
CVE-2026-3558Same product: Philips Hue Bridge V2
CVE-2026-3556Same product: Philips Hue Bridge V2
CVE-2026-3562Same product: Philips Hue Bridge V2
CVE-2025-53511Shared CWE-122
CVE-2026-20868Shared CWE-122
CVE-2026-0006Shared CWE-122
CVE-2026-22828Shared CWE-122
CVE-2026-4395Shared CWE-122
CVE-2025-23317Shared CWE-122

Affected Assets

philips
hue bridge v2 firmware
≤ 1975170000

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References