CVE-2026-0826
published 2026-06-01CVE-2026-0826: In certain scenarios when the admin has enabled Interactive Connectivity Establishment (ICE), a buffer overflow could enable remote code execution on Poly…
PriorityP277critical9.2CVSS 4.0
AVNACLATPPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
26.47%
97.8th percentile
In certain scenarios when the admin has enabled Interactive Connectivity Establishment (ICE), a buffer overflow could enable
remote code execution on Poly Voice products on the Linux platform.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp_inc | poly_trio_8300 | < 8.1.7 | 8.1.7 |
| hp_inc | poly_trio_8500 | < 7.2.8 | 7.2.8 |
| hp_inc | poly_trio_8800 | < 7.2.8 | 7.2.8 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/poly_unauth_rce_cve_2026_0826.rb↗
- →Detect oversized SDP `a=candidate:` attributes (>256 bytes) in SIP INVITE messages over UDP/5060 — this is the direct trigger for the stack buffer overflow in ParseICECandidate. ↗
- →Monitor SIP INVITE traffic to Poly VVX/Trio devices on UDP port 5060 containing `a=candidate:` SDP lines with anomalously long payloads (e.g., repeated 'A'/'B'/'C'/'1'-'4' character sequences far exceeding normal ICE candidate length). ↗
- →Alert on SIP INVITE requests with Content-Type: application/sdp where the SDP body contains an `a=candidate:` line longer than 256 bytes — no authentication is required for exploitation. ↗
- →The exploit uses a ROP chain built from fixed libc addresses starting at 0x40000000; network-level detection should look for SIP INVITE payloads containing binary data or non-printable bytes embedded in SDP candidate attributes. ↗
- →Check for the presence of `device.feature.nat.ice.enabled="1"` in device configurations — this non-default setting is required for exploitability and should be audited across all Poly VVX/Trio deployments. ↗
- →Hunt for unexpected outbound reverse shell connections originating from Poly VVX/Trio device IPs — the Metasploit module demonstrates RCE via a reverse shell payload executed as root. ↗
- ·ICE must be explicitly enabled (non-default) for the device to be remotely exploitable. Devices with ICE disabled are not vulnerable to remote attack. ↗
- ·ASLR is present but ineffective on the target firmware — libc and all shared libraries load at fixed addresses (starting 0x40000000), making ROP-based exploitation reliable without an information leak. ↗
- ·The polyapp binary lacks stack canary, RELRO, PIE, and fortify_source protections, leaving only NX as a mitigation — which is bypassed via ROP chain. ↗
- ·The polyapp binary is not compiled as PIE and is always loaded at low address 0x00008000; however, ROP gadgets from this range cannot be used because null bytes in those addresses are filtered during SDP processing. ↗
- ·The vulnerable device runs Linux kernel 2.6.27.18 on armv6l — EDR and host-based telemetry are not available on these devices, making network-level detection the primary defensive control. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Hackernews
⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
blogs_hackernews·2026-06-08·CVSS 8.4
CVE-2025-48595 [HIGH] ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
Monday again. The weekend was meant to be quiet. It wasn't. Last week had poisoned packages, a broken AI helper, and a worm tearing through repos. The ugly part: basic tricks still worked.
A chatbot got fooled. A bot token got leaked inside the malware. The same old mistakes showed up again. And while everyone chased the loud stuff, quieter attackers sat in inboxes for months, reading mail and stealing it bit by bit.
Lots to cover. Grab coffee. Read up.
## ⚡ Threat of the Week
Miasma Worm Hits 73 Microsoft GitHub Repositories in Supply Chain
Rapid7
CVE-2026-0826: How an Old Bug Can Feed AI-Powered Impersonation
blogs_rapid7·2026-06-01·CVSS 9.2
CVE-2026-0826 [CRITICAL] CVE-2026-0826: How an Old Bug Can Feed AI-Powered Impersonation
One of the more persistent myths in security is that old bug classes become old problems. They don’t. They just show up in different places, under different conditions, and usually at the exact moment we’ve convinced ourselves not to pay attention to them.
That’s part of what makes enterprise voice infrastructure so interesting.
Earlier this year, we wrote about a critical vulnerability in Grandstream VoIP phones that showed how easily a trusted communications device could become something very different. It wasn't especially flashy, but it reinforced the broader issue that phones are still part of the attack surface, even if many organizations don’t model them that way.
Today, we'll again discuss the same uncomfortable reality. VoIP technology may sit quietly on a desk and look like a
Rapid7
CVE-2026-0826: Critical unauthenticated stack buffer overflow in HP Poly VVX and Trio VoIP Phones (FIXED)
blogs_rapid7·2026-06-01·CVSS 9.2
CVE-2026-0826 [CRITICAL] CVE-2026-0826: Critical unauthenticated stack buffer overflow in HP Poly VVX and Trio VoIP Phones (FIXED)
## Overview
Rapid7 Labs conducted a zero-day research project against an HP Poly VVX 450 Voice over Internet Protocol (VoIP) phone. This research resulted in the discovery of a critical unauthenticated stack-based buffer overflow vulnerability, CVE-2026-0826. A remote attacker can leverage CVE-2026-0826 to achieve unauthenticated remote code execution (RCE) with root privileges on a target device.
The vulnerability is present in the device's parsing of Session Description Protocol (SDP) attributes for Interactive Connectivity Establishment (ICE). The ICE feature, which is not enabled by default, must be enabled for the device to be exploitable by a remote attacker.
While we discovered and validated the vulnerability on a VVX 450 device, the vulnerability has been confirmed to affect all
2026-06-01
Published