Rapid7 has disclosed CVE-2026-0826, a critical unauthenticated stack-based buffer overflow in HP Poly VoIP phones that gives a remote attacker root-level code execution. Discovered during zero-day research against a Poly VVX 450, the flaw sits in SDP parsing for ICE-enabled phones: the device copies a candidate attribute into a 256-byte stack buffer without a length check, so an oversized ICE candidate in a crafted SIP INVITE overflows the stack and can overwrite the program counter. NX is enabled but ASLR misbehaves, loading shared libraries at fixed addresses that make a ROP chain practical. An attacker needs no authentication. Patches are available for affected models.
Cisco has patched a maximum-severity flaw, CVE-2026-20223, in the internal REST APIs of Cisco Secure Workload (formerly Tetration), the zero-trust microsegmentation platform used to stop lateral movement in enterprise environments. Insufficient authentication on the affected endpoints lets an unauthenticated remote attacker craft a request that returns sensitive data and modifies configuration with Site Admin privileges across tenant boundaries. Cisco's PSIRT says there is no evidence of in-the-wild exploitation yet and no workaround exists. The on-prem fixed releases are 3.10.8.3 and 4.0.3.17; the SaaS deployment has already been patched. Sites running 3.9 or earlier must migrate to a fixed release.