Description
An issue in the Bluetooth Low Energy (BLE) control interface of the Yamaha SR-B30A sound bar firmware 2.40 (Mobile App: Sound Bar Remote / version: 2.40) allows remote attackers within BLE radio range to connect without authentication via the Sound Bar Remote protocol
Published: 2026-04-16
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Remote Control
Action: Patch
AI Analysis

Impact

An unauthenticated bug in the Bluetooth Low Energy (BLE) control interface of the Yamaha SR-B30A sound bar allows a nearby attacker to establish a BLE connection without any authentication using the Sound Bar Remote protocol. The flaw permits the attacker to send control commands to the device, potentially changing volume, input source, or other settings without user consent. The vulnerability could lead to disruption of audio services or enable further exploitation if the device is connected to other systems or networks.

Affected Systems

Yamaha SR‑B30A sound bar with firmware version 2.40 and the accompanying Mobile App: Sound Bar Remote / version 2.40. The flaw is active when the BLE radio is broadcasting and the app or device is within range, which typically spans up to a few dozen meters.

Risk and Exploitability

The risk is moderate because the attack requires physical proximity to the sound bar. No exploitation probability is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is local via BLE and does not need network connectivity, but it provides unauthorized control of the device once a connection is established. This could be used for denial of service or for injecting unwanted commands into the audio experience.

Generated by OpenCVE AI on April 17, 2026 at 05:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the sound bar firmware and the Sound Bar Remote app to the latest version that enforces authentication on BLE connections.
  • Disable the BLE or remote control feature on the device if the firmware allows configuration changes to turn off the vulnerable service.
  • Position the sound bar outside the range of untrusted BLE devices, or use a Bluetooth scanner to detect and block unknown devices attempting to connect.

Generated by OpenCVE AI on April 17, 2026 at 05:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated BLE Control Access on Yamaha SR-B30A Sound Bar
Weaknesses CWE-287

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Yamaha
Yamaha sr-b30a Sound Bar Firmware
Vendors & Products Yamaha
Yamaha sr-b30a Sound Bar Firmware

Thu, 16 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description An issue in the Bluetooth Low Energy (BLE) control interface of the Yamaha SR-B30A sound bar firmware 2.40 (Mobile App: Sound Bar Remote / version: 2.40) allows remote attackers within BLE radio range to connect without authentication via the Sound Bar Remote protocol
References

Subscriptions

Yamaha Sr-b30a Sound Bar Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-16T15:10:26.326Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37100

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T16:16:16.910

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-37100

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T06:00:09Z

Weaknesses