HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-0826Published Modified CNA hp

CVE-2026-0826: Poly Voice – Possible Remote Control of Certain Poly Devices

In certain scenarios when the admin has enabled Interactive Connectivity Establishment (ICE), a buffer overflow could enable remote code execution on Poly Voice products on the Linux platform.

Metrics

CVSS v4.0
9.2
Severity
CRITICAL
Fixed in
7.2.8
Affected Products
3

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack-based buffer overflow affects Poly Voice products (Poly Trio 8300, 8500, and 8800) running on Linux. The flaw is reachable over the network with no authentication required, but only when an administrator has enabled Interactive Connectivity Establishment (ICE), a protocol used for peer-to-peer media negotiation. Successful exploitation gives an attacker full remote code execution on the device. Patched-image rebuilds at versions 7.2.8 and 8.1.7 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-0826 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from affected Poly Voice base layers. Coverage extends to any image that packages an affected poly_trio_8300, poly_trio_8500, or poly_trio_8800 firmware or runtime component below the fix thresholds.

Available
Triage

HarborGuard scores this CVE at 9.2 CRITICAL using the CVSS v4.0 vector and weights it against each environment's configured compliance policy to determine breach of threshold and urgency tier. Triage findings are routed automatically to the inbox or ticketing integration designated by each customer org for critical-severity issues.

Available
Patch

A patched-image rebuild at fix versions 7.2.8 (Trio 8500, 8800) and 8.1.7 (Trio 8300) becomes available on HarborGuard as soon as the upstream packages are published. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against every affected workload manifest; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable ICE handling code is exposed over the network, so an attacker must be able to reach the device's signaling or media port from a remote host.

  • AuthenticationNot required

    No credentials or session token are needed; the malformed ICE payload can be sent by any unauthenticated remote party.

  • Victim interactionNot required

    Exploitation is fully passive from the victim's perspective and requires no user action on the device.

  • Attack complexityDetail

    The CVSS base score reflects low inherent complexity, but the AT:P token indicates that exploitation depends on an administrator having enabled ICE, which is not the default configuration on all deployments.

Blast Radius

  • An attacker achieves remote code execution on the device, gaining the ability to run arbitrary commands at the privilege level of the affected Poly Voice process.
  • Confidential data stored or transiting the device (call recordings, credentials, configuration secrets) is fully readable by the attacker.
  • The attacker can modify device configuration, redirect calls, or inject media streams, compromising the integrity of communications handled by the device.
  • The attacker can crash or reboot the device, causing a denial of voice service for users depending on that endpoint.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any customer image packaging an affected Poly Voice component below versions 7.2.8 or 8.1.7. Where compliance policy permits, auto-remediation customers receive a rebuilt image at the patched version, a regression test run, and a pull request opened against affected workload manifests; for critical-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who have not enabled auto-remediation will see the finding surfaced in their HarborGuard dashboard with fix-version guidance. Because exploitation requires ICE to be administratively enabled, customers who cannot immediately patch should audit device configurations and disable ICE on any Poly Trio endpoint where it is not operationally necessary, treating that as a compensating control until the patched image is deployed.

See how HarborGuard automates this

Fix available

7.2.88.1.7
Affected packages
  • HP Inc. / poly_trio_8300
    < 8.1.7 (from 0)
  • HP Inc. / poly_trio_8500
    < 7.2.8 (from 0)
  • HP Inc. / poly_trio_8800
    < 7.2.8 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References