CVE-2026-0826: Critical Stack Overflow in HP Poly VoIP Phones Opens Door to AI-Powered Impersonation
Rapid7 disclosed CVE-2026-0826, a critical unauthenticated stack-based buffer overflow in HP Poly VVX and Trio VoIP phones, enabling remote code execution and posing risks of eavesdropping and AI-driven voice impersonation.
Rapid7 has disclosed CVE-2026-0826, a critical unauthenticated stack-based buffer overflow vulnerability affecting multiple HP Poly VoIP devices, including the VVX and Trio product lines. Discovered by senior principal security researcher Stephen Fewer, the flaw allows a remote, unauthenticated attacker to achieve full code execution on the device without any authentication. The vulnerability is particularly concerning because these phones are often deployed in sensitive environments such as executive offices, conference rooms, hospital stations, and trading floors, where they handle confidential conversations daily.
The technical root cause is a classic memory corruption bug — a stack-based buffer overflow — that, under the right conditions, can be exploited to gain control of the device. Despite the presence of modern exploit mitigations, Rapid7 researchers found that the protections in place were insufficient to prevent the bug from being turned into meaningful code execution. As Fewer notes, "modern mitigations absolutely matter, and in many cases they do make exploitation more difficult. But they don't make memory corruption go away." The exploitation path remains very real, even in 2026.
The impact extends beyond mere device compromise. Attackers who gain a root shell on a Poly VoIP phone can use it as a foothold for lateral movement, call manipulation, traffic interception, or quiet persistence. These devices are notoriously difficult to monitor with standard security tools — you cannot run EDR on a desk phone, and they often sit on the network for years with little scrutiny. This makes them ideal targets for advanced threat actors seeking to operate under the radar.
Perhaps the most alarming implication is the potential for audio collection in the age of AI. High-quality voice data has become a prime target for attackers, who can use it to fuel synthetic speech tooling for vishing, deepfakes, and social engineering. A compromised desk phone in an executive office can serve as a collection point for the kind of clean source audio needed to impersonate key individuals. "The concern is not just 'someone might hear something confidential,'" the Rapid7 report states. "The broader concern is that voice infrastructure can now support both traditional eavesdropping and AI-powered impersonation attacks."
HP Poly has released patches for the affected devices. Organizations are urged to apply the updates immediately and to reassess the security posture of their VoIP infrastructure. The vulnerability underscores a persistent blind spot in enterprise security: trusted communications devices that are often overlooked in threat models. As Fewer emphasizes, "old bug classes never really went away; they just found new places to cause problems."
Rapid7's technical analysis reveals that the overflow occurs in the ParseICECandidate helper function within the polyapp binary, which memcpy's user-supplied SDP candidate data into a 256-byte stack buffer without length checking. A Metasploit module is now publicly available, demonstrating unauthenticated remote code execution with root privileges on a Poly VVX 450 running firmware 6.4.7.4477 when ICE is enabled. The disclosure includes a full proof-of-concept SIP INVITE request, making exploitation straightforward for attackers.