The CVE-2026-0826 stack-based buffer overflow in Poly Voice SDP candidate attribute parsing represents more than a remote code execution vector—it exposes a persistent hardware foothold in environments where software-centric defenses are absent. While Rapid7 correctly identifies the ICE-enabled parsing flaw allowing unauthenticated SIP INVITE exploitation and ROP bypass of ASLR/NX, the coverage understates how these devices, often deployed via long supply chains involving Poly's 2018 HP acquisition, inherit firmware weaknesses from legacy embedded Linux stacks. This connects to broader patterns seen in the 2021 Colonial Pipeline-adjacent IoT incidents and the 2023 MOVEit supply-chain cascade, where trusted peripherals became lateral movement nodes. Unlike endpoint-focused reporting, the real risk lies in audio capture for deepfake vishing combined with network persistence, a gap missed by vendors emphasizing patch deployment over architectural isolation. Synthesizing Rapid7's advisory with NIST SP 800-82 Rev. 3 on ICS/IoT segmentation and a 2024 ENISA report on converged voice-data threats reveals that disabling ICE alone fails against supply-chain implants, demanding hardware-rooted attestation absent in VVX and Trio series.