Introduction
A maximum severity vulnerability in the Sonos Era 300 smart speaker allows unauthenticated remote attackers to achieve kernel level code execution by sending a crafted SMB response over the network. Discovered by researcher dmdung of STAR Labs SG Pte. Ltd. and disclosed through the Zero Day Initiative as ZDI 26 192, CVE-2026-4149 carries a CVSS base score of 10.0 and requires neither authentication nor user interaction to exploit.
The Sonos Era 300 is a premium smart speaker designed for spatial audio, part of the Sonos ecosystem that spans millions of connected devices in homes and commercial environments worldwide. Sonos products are deeply integrated into home and office networks, often sitting on the same LAN segments as workstations and servers, which makes a kernel level compromise on one of these devices a meaningful foothold for lateral movement.
Technical Information
Root Cause: Unvalidated DataOffset in SMB Response Handling
The vulnerability exists within the Sonos Era 300 firmware's SMB (Server Message Block) response handler. When the device processes an incoming SMB response, it reads a DataOffset field to determine where within the response buffer the actual payload data begins. The firmware does not validate this offset against the boundaries of the allocated buffer before using it to perform memory operations.
This is a classic CWE 119 condition: Improper Restriction of Operations within the Bounds of a Memory Buffer. The DataOffset value is attacker controlled (it comes directly from the SMB response packet), and without bounds checking, a malicious value causes the firmware to read or write memory past the end of the allocated buffer.
Why This Is Kernel Level
The SMB handling code on the Sonos Era 300 operates at a privileged level within the system. Successful exploitation of the out of bounds access does not merely crash a userspace process; it achieves code execution in the context of the kernel. This means an attacker gains the highest level of control over the device, with the ability to read and modify any data, install persistent implants, or pivot to other devices on the network.
CVSS 3.0 Breakdown
The full CVSS 3.0 vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, which breaks down as follows:
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector | Network (AV:N) | Exploitable remotely over the network |
| Attack Complexity | Low (AC:L) | No special conditions or race windows required |
| Privileges Required | None (PR:N) | No authentication needed |
| User Interaction | None (UI:N) | No victim action required |
| Scope | Changed (S:C) | Impact extends beyond the vulnerable component |
| Confidentiality | High (C:H) | Full read access to device memory and data |
| Integrity | High (I:H) | Full write access; arbitrary code execution |
| Availability | High (A:H) | Complete denial of service possible |
The "Changed" scope is particularly notable here. It reflects that compromising the kernel on a network connected device can impact resources beyond the speaker itself, such as other devices on the same network segment.
Attack Flow
Based on the disclosed details, exploitation would follow this general sequence:
- The attacker identifies a Sonos Era 300 device on the target network. These devices are discoverable via standard network scanning or multicast discovery protocols.
- The attacker initiates or intercepts an SMB transaction with the target device. Since the vulnerability is in the handling of SMB responses, the attacker needs the device to process a crafted SMB response. This could be achieved by acting as a rogue SMB server on the network or through a man in the middle position.
- The attacker crafts an SMB response with a malicious
DataOffsetfield value that points past the end of the allocated response buffer. - When the Sonos Era 300 processes this response, the unvalidated offset causes an out of bounds memory access.
- By carefully controlling the offset and the contents of the response, the attacker achieves arbitrary code execution in kernel context.
No authentication is required at any step, and no user interaction is needed. The device simply needs to be reachable on the network and processing SMB traffic.
Disclosure Timeline
| Event | Date |
|---|---|
| Vulnerability reported to Sonos | 2025 11 06 |
| Coordinated public release of advisory (ZDI 26 192) | 2026 03 16 |
| CVE published by NVD | 2026 04 10 |
Patch Information
Sonos addressed CVE-2026-4149 in firmware version 83.1 61240, released on February 4, 2025. This is confirmed directly by the ZDI 26 192 advisory, which states the vulnerability is "Fixed in version 83.1 61240," and corroborated by the official Sonos system update release notes, which list that version under the changelog entry: "Security improvements."
The fix targets the SMB response handler component within the Sonos Era 300 firmware. Before the patch, user supplied data in the DataOffset field was not properly validated, allowing an attacker to craft a malicious SMB response that would cause the device to access memory past the end of an allocated buffer. The patch introduces proper bounds checking and validation of the DataOffset field in SMB responses, ensuring that any externally supplied offset value is verified against the actual buffer boundaries before any memory access occurs.
Because this is a firmware level fix shipped through Sonos's standard over the air update mechanism, there is no public source code commit or diff to inspect. Sonos systems are configured to update automatically by default, meaning most active Era 300 devices will have already received this patch. Users can manually verify their firmware version in the Sonos app under Settings > General Settings > System Updates and trigger a manual update if needed. Any device running firmware 83.1 61240 or later is patched against this vulnerability.
There is a discrepancy worth noting in version reporting across databases:
| Source | Reported Affected Version | Reported Fixed Version |
|---|---|---|
| Zero Day Initiative | Era 300 | 83.1 61240 |
| CVE Record (CVE.org) | affected at 17.5 (build 91.0 70070) | Default Status: unknown |
Administrators should treat version 83.1 61240 as the authoritative minimum safe build based on the Zero Day Initiative advisory.
Affected Systems and Versions
The vulnerability affects the Sonos Era 300 smart speaker. Based on available disclosures:
- The CVE record on CVE.org lists the affected version as 17.5 (build 91.0 70070).
- The Zero Day Initiative advisory confirms the fix is in firmware version 83.1 61240.
- Any Sonos Era 300 device running firmware prior to 83.1 61240 should be considered vulnerable.
No other Sonos products have been explicitly named in the advisory, though organizations with mixed Sonos deployments should monitor for additional advisories.
Vendor Security History
Sonos maintains a formal security program with a published Vulnerability Disclosure Policy and a dedicated page for security research recognition. The company publicly commits to providing software security updates for their products.
Their handling of CVE-2026-4149 followed a standard coordinated disclosure process. The vulnerability was reported in November 2025, and a firmware fix was available well before the public advisory release in March 2026. This indicates an active product security incident response capability with reasonable turnaround times for critical issues.
References
- ZDI 26 192: Sonos Era 300 SMB Response Out of Bounds Access Remote Code Execution Vulnerability
- NVD Entry for CVE-2026-4149
- CVE.org Record for CVE-2026-4149
- Sonos System Update Release Notes
- Update Your Sonos Speakers
- Sonos Platform Security Information
- Sonos Security Software Updates Policy
- VulDB Entry for CVE-2026-4149
- CISA Known Exploited Vulnerabilities Catalog
