CVE-2026-0791 is a stack-based buffer overflow vulnerability identified in the ALGO 8180 IP Audio Alerter, a device used for IP-based audio alerting and paging. The vulnerability specifically exists in the processing of the SIP INVITE request's Replaces header, where the device fails to properly validate the length of user-supplied data before copying it into a fixed-length stack buffer. This lack of bounds checking allows an attacker to overflow the buffer, potentially overwriting the stack and enabling arbitrary code execution in the context of the device’s process. Exploitation requires no authentication or user interaction, making it remotely exploitable over the network by sending a crafted SIP INVITE message. The vulnerability is classified under CWE-121 (Stack-based Buffer Overflow) and has been assigned a CVSS v3.0 base score of 8.1, reflecting high impact on confidentiality, integrity, and availability. The attack vector is network-based with high attack complexity, but no privileges or user interaction are required. The vulnerability was reported by the Zero Day Initiative (ZDI) under the identifier ZDI-CAN-28300 and published on January 23, 2026. No patches or mitigations have been officially released by ALGO at the time of this report, and no known exploits have been observed in the wild. Given the device’s role in critical communication infrastructure, successful exploitation could lead to full device compromise, enabling attackers to manipulate audio alerts, disrupt communications, or pivot into internal networks.

For European organizations, the impact of CVE-2026-0791 can be significant, especially for those relying on ALGO 8180 IP Audio Alerter devices in their physical security, emergency notification, or public address systems. Successful exploitation could allow attackers to execute arbitrary code remotely, leading to full device compromise. This could result in unauthorized manipulation or suppression of audio alerts, causing misinformation or failure to alert personnel during emergencies. Additionally, compromised devices could serve as footholds for lateral movement into enterprise networks, risking broader network intrusion and data breaches. The confidentiality of communications could be undermined, and the integrity and availability of alerting systems could be severely affected. Given the lack of authentication required for exploitation, attackers could operate from outside the organization’s perimeter. This vulnerability poses a direct threat to operational continuity and safety in environments such as transportation hubs, hospitals, corporate campuses, and government facilities across Europe.

Until an official patch is released by ALGO, European organizations should implement the following specific mitigations: 1) Deploy network-level access controls to restrict SIP traffic to trusted sources only, using firewalls and SIP-aware intrusion prevention systems (IPS) to detect and block malformed INVITE requests containing suspicious Replaces headers. 2) Segment the network to isolate ALGO 8180 devices from general user and internet-facing networks, limiting exposure to untrusted traffic. 3) Monitor network traffic for unusual SIP INVITE patterns or anomalies that could indicate exploitation attempts. 4) Employ rate limiting on SIP requests to reduce the risk of exploitation through rapid repeated attempts. 5) Maintain an inventory of all ALGO 8180 devices and ensure firmware versions are tracked to apply patches promptly once available. 6) Engage with ALGO support channels to obtain early access to security updates or workarounds. 7) Consider temporary disabling or restricting SIP Replaces header processing if device configuration allows. 8) Conduct regular security assessments and penetration testing focused on VoIP and IP audio alerting infrastructure. These targeted actions go beyond generic advice by focusing on the specific protocol and device behavior involved in this vulnerability.