CVE-2026-0826

Name of the Vulnerable Software and Affected Versions Poly Voice VVX 150 Poly Voice VVX 250 Poly Voice VVX 350 Poly Voice VVX 450 Poly Voice Trio 8300 Poly Voice Trio 8500 Poly Voice Trio 8800

Description A stack-based buffer overflow exists in Poly Voice products on the Linux platform during the parsing of Session Description Protocol (SDP) attributes. The issue occurs specifically within the ParseICECandidate() function when the Interactive Connectivity Establishment (ICE) feature is enabled. An unauthenticated attacker can exploit this by sending a malicious SIP INVITE request to UDP port 5060 containing an oversized a=candidate: attribute. This triggers a 256-byte buffer overflow via memcpy() without bounds checking in /user/local/root/polyapp, allowing the attacker to bypass NX protection using a ROP chain and execute remote code with root privileges. This could lead to unauthorized access to enterprise networks, eavesdropping, and lateral movement.

Recommendations Update the firmware for VVX 150, VVX 250, VVX 350, VVX 450, Trio 8300, Trio 8500, and Trio 8800 to the latest patched version. As a temporary mitigation, disable the Interactive Connectivity Establishment (ICE) feature if it is not required.