Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: voip (1 article)Clear

HP Poly VVX VoIP phones: unauthenticated root RCE CVE-2026-0826 via oversized ICE candidate in SIP INVITE, patches available

Rapid7 has disclosed CVE-2026-0826, a critical unauthenticated stack-based buffer overflow in HP Poly VoIP phones that gives a remote attacker root-level code execution. Discovered during zero-day research against a Poly VVX 450, the flaw sits in SDP parsing for ICE-enabled phones: the device copies a candidate attribute into a 256-byte stack buffer without a length check, so an oversized ICE candidate in a crafted SIP INVITE overflows the stack and can overwrite the program counter. NX is enabled but ASLR misbehaves, loading shared libraries at fixed addresses that make a ROP chain practical. An attacker needs no authentication. Patches are available for affected models.

Check
Inventory HP Poly VoIP phones (VVX and ICE-enabled models) by firmware. Confirm SIP/VoIP interfaces are not reachable from untrusted networks. Apply the CVE-2026-0826 patch for affected models.
Affected
HP Poly VoIP phones (VVX 450 confirmed) with ICE enabled. An unauthenticated SIP INVITE carrying an oversized ICE candidate triggers a root-level stack overflow; fixed-address libraries make ROP practical.
Fix
Apply Rapid7-referenced patches immediately. Place VoIP phones on a dedicated VLAN with strict ACLs. Block SIP from untrusted networks and monitor for malformed INVITE traffic.