A critical flaw in multiple HP Poly Voice VoIP phone models can be exploited for root-level remote code execution through malicious SIP/SDP traffic, putting enterprise networks at risk. Rapid7 says affected devices such as the HP VVX and Trio series should be patched or have ICE disabled where it is not needed. #CVE-2026-0826 #HPPolyVoice #HPVVX #TrioIPConference
Keypoints
- CVE-2026-0826 is a critical stack-based buffer overflow in SDP attribute parsing.
- The flaw affects HP Poly Voice phones with ICE enabled.
- Attackers can trigger it with a malicious SIP INVITE request.
- Exploitation can lead to remote code execution with root privileges.
- Patches are available, and disabling ICE can reduce exposure.