CVE-2026-3555

Name of the Vulnerable Software and Affected Versions Philips Hue Bridge (affected versions not specified)

Description A heap-based buffer overflow exists in the custom command handler of the Zigbee stack. This issue occurs due to insufficient validation of data size before it is copied into a fixed-size heap buffer during the processing of custom Zigbee ZCL (Zigbee Cluster Library) frames within the Model Info download functionality. Network-adjacent attackers can exploit this flaw to execute arbitrary code in the context of the device. Exploitation requires user interaction, specifically that the user must initiate the device pairing process.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.