Critical

Unauthenticated RCE in HP Poly Voice ICE SDP Parsing

IdentifiersCVE-2026-0826CWE-121· Stack-based Buffer Overflow

CVE-2026-0826 is a critical unauthenticated stack-based buffer overflow affecting HP Poly Voice/VoIP devices on the Linux platform, including Poly VVX and Trio product lines. The flaw is exposed when Interactive Connectivity Establishment (ICE) is enabled. According to the provided reporting, the vulnerable code is in SDP parsing of ICE candidate attributes within the polyapp binary, specifically in the helper function ParseICECandidate, which copies attacker-controlled candidate data into a 256-byte stack buffer using memcpy without enforcing a length check. A remote attacker can send a crafted SIP INVITE containing an oversized SDP candidate attribute to trigger the overflow, overwrite control data including the program counter, and achieve code execution. Rapid7 reported exploitation against firmware 6.4.7.4477 and noted that although NX is enabled, practical exploitation is facilitated because PIE is disabled and shared libraries such as libc load at fixed addresses, enabling ROP-based bypass of NX.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation provides unauthenticated remote code execution on the target phone with root privileges. This gives an attacker full administrative control of the device, enabling compromise of confidentiality, integrity, and availability of the phone and potentially allowing the device to be used as a trusted-network foothold. Reported downstream risks include interception or exposure of internal corporate audio traffic, espionage via microphones in offices and conference rooms, lateral movement within enterprise environments, persistence on a lightly monitored embedded device, and voice/call manipulation or fraud.

Mitigation

If you can’t patch tonight, do this now.

Disable ICE connectivity where it is not required. The vulnerability is described as reachable only in scenarios where an administrator has enabled Interactive Connectivity Establishment, and the content indicates ICE is not enabled by default. Limiting SIP exposure to trusted sources and accelerating firmware deployment would also reduce exposure, but the vendor-specific mitigation explicitly provided is to disable ICE if unnecessary.

Remediation

Patch, then assume compromise.

Apply HP Poly's patched UCS firmware releases for affected devices. The provided content identifies patched versions as VVX UCS 6.4.8, Trio 8300 UCS 8.1.7, Trio 8500 UCS 7.2.8, and Trio 8800 UCS 7.2.8. HP recommends updating affected devices through HP Poly Lens Device Management and keeping firmware/software current across the fleet.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Hewlett Packard EnterprisePoly Trio 8300hardware

Hewlett Packard EnterprisePoly Trio 8500hardware

Hewlett Packard EnterprisePoly Trio 8800hardware

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

30 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

30 SOURCESView more in app

security online infoNews

Jun 5, 2026

Poly VoIP Phone Vulnerability: Public Exploit Code Out

A critical unauthenticated stack-based buffer overflow in Poly VoIP phones that can be exploited via crafted SIP INVITE messages to achieve remote code execution/root-level administrative access.

security affairsNews

Jun 3, 2026

Why an HP Poly VoIP Phones Bug Could Become an Enterprise Foothold

A critical unauthenticated stack-based buffer overflow in SDP parsing on ICE-enabled HP Poly VoIP phones that can allow remote code execution with root privileges.

metasploit pull requestsNews

Jun 2, 2026

Exploit module for HP Poly VVX (CVE-2026-0826) by sfewer-r7 · Pull Request #21525 · rapid7/metasploit-framework · GitHub

A specific vulnerability identified as CVE-2026-0826 that is being discussed in the context of adding an exploit module to Metasploit.

rapid7 blogNews

Jun 1, 2026

CVE-2026-0826: How an Old Bug Can Feed AI-Powered Impersonation

A critical unauthenticated stack-based buffer overflow / memory corruption vulnerability in multiple HP Poly VoIP devices that can allow a remote attacker to gain control of an affected device without authentication.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity23

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-0826

NVD

nvd.nist.gov/vuln/detail/CVE-2026-0826

MITRE CWE · CWE-121

Stack-based Buffer Overflow

support.hp.com

support.hp.com/us-en/document/ish_15052661-15052687-16/hpsbpy04083