PatchSiren cyber security CVE debrief
CVE-2026-0826 HP Inc. CVE debrief
A critical buffer overflow vulnerability in Poly Voice products on the Linux platform, triggered when Interactive Connectivity Establishment (ICE) is enabled by an administrator. The flaw could allow remote code execution. The vulnerability is classified as CWE-121 (Stack-based Buffer Overflow) and carries a CVSS 4.0 score of 9.2 (CRITICAL). The vendor attribution is currently uncertain: while the source evidence points to HP (via [email protected]), the description references Poly Voice products, suggesting a possible HP/Poly relationship that requires review. The vulnerability status in NVD is 'Received', indicating initial processing. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.
- Vendor
- HP Inc.
- Product
- poly_trio_8300
- CVSS
- CRITICAL 9.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations deploying Poly Voice products on Linux platforms with ICE enabled; VoIP and unified communications administrators; security teams managing HP/Poly endpoint infrastructure
Technical summary
The vulnerability exists in the ICE (Interactive Connectivity Establishment) implementation used by Poly Voice products running on Linux. ICE is a framework for NAT traversal used in VoIP and real-time communications. When ICE is enabled by an administrator, a stack-based buffer overflow (CWE-121) can be triggered, potentially allowing an unauthenticated remote attacker to execute arbitrary code. The attack requires network access and has low complexity, though attack requirements are present (AT:P in CVSS 4.0). No privileges or user interaction are required. The high CVSS score reflects complete compromise of confidentiality, integrity, and availability.
Defensive priority
CRITICAL
Recommended defensive actions
- Disable Interactive Connectivity Establishment (ICE) on affected Poly Voice Linux products if not strictly required for operations, pending patch availability
- Apply security updates from HP/Poly when released; monitor HP security bulletin for patch status
- Restrict network access to Poly Voice devices to trusted administrative segments
- Monitor for anomalous network traffic targeting ICE/STUN/TURN services on affected devices
- Review device configurations for unauthorized ICE enablement
- Validate vendor attribution and product scope due to low-confidence vendor identification in source data
Evidence notes
Vendor confidence is low due to conflicting signals: the reference domain candidate suggests 'Hp' while the product description names 'Poly Voice products'. The canonical source is marked as 'reference_domain_weak' and flagged for review. The CVSS vector uses CVSS 4.0 with Attack Vector: Network, Attack Complexity: Low, Attack Requirements: Present, Privileges Required: None, User Interaction: None, with high impacts to confidentiality, integrity, and availability.
Official resources
-
CVE-2026-0826 CVE record
CVE.org
-
CVE-2026-0826 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-06-01