CVE-2026-0826, a CVSS 9.2 stack-based buffer overflow in the SDP/ICE parsing component of HP Poly Voice VoIP phones, enables an unauthenticated remote attacker to gain root-level code execution by sending a specially crafted SIP INVITE request. All widely deployed HP Poly VVX and Trio conference models are affected; HP has released patches for each.
The SDP/ICE Buffer Overflow That Gives Attackers Root on HP Poly VVX and Trio Phones
The vulnerability originates in a bounds-checking failure when the phone’s SDP parser copies incoming ICE attribute strings into a 256-byte stack buffer. An attacker crafts a SIP INVITE containing oversized ICE attributes that overflow the buffer, allowing control of the program counter, registers, and stack pointer. Using Return Oriented Programming techniques, the attacker can redirect execution to arbitrary payloads and achieve root-level code execution on the device — all without supplying any credentials and without requiring the user to answer or interact with the call.
All Major HP Poly VVX and Trio Enterprise Models in Scope
Every widely deployed model in the HP Poly enterprise line is affected: VVX 150, VVX 250, VVX 350, VVX 450, and the Trio conference series (8800, 8500, and 8300). These devices are installed in enterprise conference rooms, executive offices, and open-plan workspaces across organizations of all sizes. The breadth of affected hardware means that virtually any enterprise running HP Poly endpoints faces exposure until patches are applied.
VoIP Phones as Persistent, Unmonitored Footholds on Corporate Networks
Enterprise VoIP phones occupy a position in corporate network architecture that makes them disproportionately valuable as attacker footholds. They reside in trusted network segments alongside servers and workstations, share LAN access with internal systems, and are often physically present in sensitive locations — executive meeting rooms, HR offices, finance departments.
Why HP Poly Phones Are Outside Typical Enterprise Patch Cycles
Despite their network position, VoIP phones almost universally lack endpoint protection agents and are rarely included in enterprise patch management programs. Security operations teams monitoring EDR alerts, SIEM logs, and vulnerability scanners typically have no visibility into VoIP phone firmware versions or device behavior. This gap means CVE-2026-0826 creates a persistent, silent foothold for any attacker capable of sending a SIP INVITE to a reachable HP Poly endpoint.
From that foothold, an attacker with root access to a VoIP phone can monitor audio traffic, capture authentication credentials passed over the network, conduct passive reconnaissance of internal traffic, and move laterally to adjacent systems in the same trusted segment.
Patch Availability and Interim Mitigation for CVE-2026-0826
HP has released firmware patches for all affected VVX and Trio models, addressing the bounds-checking failure in the SDP/ICE parser. For environments unable to deploy patches immediately, disabling the ICE connectivity feature is a viable interim mitigation — removing the vulnerable code path while preserving basic SIP call functionality.
Organizations managing HP Poly VoIP deployments should treat this patch as priority-one given the unauthenticated, network-reachable attack vector and the trusted network position these devices typically hold.
