Skip to main content

Era 300 CVE-2026-4149

| EUVDEUVD-2026-21627 CRITICAL
Buffer Overflow (CWE-119)
2026-04-11 zdi GHSA-8v6v-j22p-w63g
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
CVSS changed
Apr 15, 2026 - 15:22 NVD
10.0 (CRITICAL) 9.8 (CRITICAL)
EUVD ID Assigned
Apr 11, 2026 - 01:00 euvd
EUVD-2026-21627
Analysis Generated
Apr 11, 2026 - 01:00 vuln.today
CVE Published
Apr 11, 2026 - 00:12 nvd
CRITICAL 10.0

DescriptionCVE.org

Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos Era 300. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of the DataOffset field within SMB responses. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the kernel. Was ZDI-CAN-28345.

AnalysisAI

Remote code execution in Sonos Era 300 smart speakers (build 17.5/91.0-70070) allows unauthenticated network attackers to execute arbitrary kernel-level code via malformed SMB server responses. The vulnerability achieves maximum CVSS 10.0 severity due to network accessibility without authentication, low complexity, and kernel-level code execution with scope change. EPSS indicates 1.27% exploitation probability (80th percentile), suggesting moderate real-world risk. No active exploitation confirmed at time of analysis, though ZDI publication increases weaponization likelihood.

Technical ContextAI

The flaw resides in the Sonos Era 300's SMB (Server Message Block) client implementation, specifically in parsing the DataOffset field within SMB protocol responses. SMB is a network file sharing protocol typically used for media streaming and network storage access on smart speakers. The vulnerability stems from insufficient bounds checking (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) when processing server-supplied DataOffset values. When the Era 300 connects to a malicious SMB server, the attacker can supply a crafted DataOffset that causes the SMB client to read or write memory beyond allocated buffer boundaries. Because the SMB stack operates at kernel privilege level on the embedded firmware, successful exploitation grants kernel-mode code execution, enabling complete device compromise including persistent malware installation, surveillance capabilities, or use as a network pivot point.

RemediationAI

Contact Sonos support immediately to determine patch availability status for Era 300 firmware, as no vendor-released patch version is independently confirmed from available data at time of analysis. Monitor Sonos security advisories at the official support portal for firmware updates addressing CVE-2026-4149 and ZDI-CAN-28345. As immediate risk mitigation, implement network segmentation to isolate Era 300 devices from untrusted networks and disable SMB client functionality if not required for intended use cases. Block outbound SMB traffic (TCP ports 445, 139) from Era 300 devices at network firewall to prevent connection to malicious SMB servers. For enterprise deployments, restrict Era 300 network access to trusted internal SMB shares only via whitelist ACLs. Consult ZDI advisory ZDI-26-192 for additional vendor coordination details at https://www.zerodayinitiative.com/advisories/ZDI-26-192/. Disable network file sharing features on Era 300 speakers until patched firmware is deployed.

Share

CVE-2026-4149 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy