A critical unauthenticated stack buffer overflow vulnerability, identified as CVE-2026-0826, has been discovered in HP Poly VVX and Trio VoIP phones, allowing remote attackers to execute arbitrary code with root privileges1. The vulnerability is rooted in the devices' parsing of Session Description Protocol attributes for Interactive Connectivity Establishment, specifically the ICE feature. This flaw enables attackers to leverage the vulnerability for unauthenticated remote code execution, posing a significant threat to affected devices. The vulnerability has been fixed, but its disclosure expands the active attack surface, making it essential for practitioners to prioritize mitigation based on their exposure and exploitation evidence. This vulnerability matters to security practitioners because it highlights the need for proactive patch management and vulnerability assessment to prevent potential exploits of VoIP phones.
CVE-2026-0826: Critical unauthenticated stack buffer overflow in HP Poly VVX and Trio VoIP Phones (FIXED)
⚠️ Critical Alert
Why This Matters
CVE-2026-0826 disclosure expands the active attack surface — prioritize based on your exposure and exploitation evidence.
References
- Rapid7. (2026, June 1). CVE-2026-0826: Critical unauthenticated stack buffer overflow in HP Poly VVX and Trio VoIP Phones (FIXED). Rapid7 Blog. https://www.rapid7.com/blog/post/ve-cve-2026-0826-critical-unauthenticated-stack-buffer-overflow-hp-poly-vvx-trio-voip-phones-fixed
Original Source
Rapid7 Blog
Read original →