CRITICAL🇵🇱 Wersja polska

CVE-2026-4149

CVSS 9.8v3.1pub. 2026-04-11upd. 2026-04-15

Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos Era 300. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the DataOffset field within SMB responses. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the kernel. Was ZDI-CAN-28345.

🤖 AI Analysis
How it works

The vulnerability results from improper validation of the DataOffset field in SMB protocol responses handled by the device. Improper validation of user-supplied data leads to out-of-bounds memory access (CWE-119). An attacker can send a crafted SMB response that triggers this error and allows code execution in the kernel context of the device's operating system.

Impact

An attacker can execute arbitrary code with kernel privileges, which means complete takeover of the device, including the ability to compromise confidentiality, integrity, and system availability.

Mitigation & patch

Patches available from the manufacturer should be applied according to the references. Detailed information about the corrected firmware version is available at: https://www.zerodayinitiative.com/advisories/ZDI-26-192/

Who is affected

Sonos Era 300 and its firmware (Sonos Era 300 Firmware) — specific versions indicated in the manufacturer's references and in the ZDI-26-192 advisory.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Sonos Era 300

    HW
    Sonos
    wszystkie wersje
  • Sonos Era 300 Firmware

    OS
    Sonos
    < 83.1-61240
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEMemory
CWE
References

Related vulnerabilities

CVE-2025-1051HIGH8.8ten sam produkt

Sonos Era 300 Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows networ...

CVE-2025-1048HIGH8.8ten sam produkt

Sonos Era 300 Speaker libsmb2 Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows ne...

CVE-2025-1049HIGH8.8ten sam produkt

Sonos Era 300 Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows networ...

CVE-2025-1050HIGH8.8ten sam produkt

Sonos Era 300 Out-of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows network-adjac...

CVE-2022-24049CRITICAL9.8ten sam vendor

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos One Sp...