A critical vulnerability in HP Poly VoIP phones has been discovered, allowing remote attackers to gain root-level code execution on affected devices. The bug, identified as CVE-2026-0826, is an unauthenticated stack-based buffer overflow that resides in the SDP parsing component of ICE-enabled phones. This flaw can be exploited by attackers to gain control of the device, potentially leading to further compromise of the enterprise network. Patches are available for affected models, and administrators are advised to prioritize updates based on their exposure and evidence of exploitation1. The vulnerability affects HP Poly VVX 450 Voice over Internet phones, among other models. This disclosure highlights the importance of regularly updating and patching VoIP devices to prevent potential security breaches. So what matters to practitioners is that this vulnerability expands the active attack surface, making it essential to assess and address the risk promptly.