cbcvebase.
CVE-2026-0826
published 2026-06-01

CVE-2026-0826: In certain scenarios when the admin has enabled Interactive Connectivity Establishment (ICE), a buffer overflow could enable remote code execution on Poly…

PriorityP277critical9.2CVSS 4.0
AVNACLATPPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
26.47%
97.8th percentile
In certain scenarios when the admin has enabled Interactive Connectivity Establishment (ICE), a buffer overflow could enable remote code execution on Poly Voice products on the Linux platform.

Affected

3 ranges
VendorProductVersion rangeFixed in
hp_incpoly_trio_8300< 8.1.78.1.7
hp_incpoly_trio_8500< 7.2.87.2.8
hp_incpoly_trio_8800< 7.2.87.2.8

Detection & IOCsextracted from sources · hover to see the quote

port5060/UDP
path/usr/local/root/polyapp
filenamepolyapp
version6.4.7.4477
otherParseICECandidate at VA 0xB12780
otherlibc fixed load VA 0x40a5c000 (firmware 6.4.7.4477)
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/poly_unauth_rce_cve_2026_0826.rb
  • Detect oversized SDP `a=candidate:` attributes (>256 bytes) in SIP INVITE messages over UDP/5060 — this is the direct trigger for the stack buffer overflow in ParseICECandidate.
  • Monitor SIP INVITE traffic to Poly VVX/Trio devices on UDP port 5060 containing `a=candidate:` SDP lines with anomalously long payloads (e.g., repeated 'A'/'B'/'C'/'1'-'4' character sequences far exceeding normal ICE candidate length).
  • Alert on SIP INVITE requests with Content-Type: application/sdp where the SDP body contains an `a=candidate:` line longer than 256 bytes — no authentication is required for exploitation.
  • The exploit uses a ROP chain built from fixed libc addresses starting at 0x40000000; network-level detection should look for SIP INVITE payloads containing binary data or non-printable bytes embedded in SDP candidate attributes.
  • Check for the presence of `device.feature.nat.ice.enabled="1"` in device configurations — this non-default setting is required for exploitability and should be audited across all Poly VVX/Trio deployments.
  • Hunt for unexpected outbound reverse shell connections originating from Poly VVX/Trio device IPs — the Metasploit module demonstrates RCE via a reverse shell payload executed as root.
  • ·ICE must be explicitly enabled (non-default) for the device to be remotely exploitable. Devices with ICE disabled are not vulnerable to remote attack.
  • ·ASLR is present but ineffective on the target firmware — libc and all shared libraries load at fixed addresses (starting 0x40000000), making ROP-based exploitation reliable without an information leak.
  • ·The polyapp binary lacks stack canary, RELRO, PIE, and fortify_source protections, leaving only NX as a mitigation — which is bypassed via ROP chain.
  • ·The polyapp binary is not compiled as PIE and is always loaded at low address 0x00008000; however, ROP gadgets from this range cannot be used because null bytes in those addresses are filtered during SDP processing.
  • ·The vulnerable device runs Linux kernel 2.6.27.18 on armv6l — EDR and host-based telemetry are not available on these devices, making network-level detection the primary defensive control.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.