Description
Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos Era 300. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of the DataOffset field within SMB responses. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the kernel. Was ZDI-CAN-28345.
Published: 2026-04-11
Score: 9.8 Critical
EPSS: 1.2% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw stems from improper validation of the DataOffset field within SMB responses, allowing an out‑of‑bounds memory read that can be abused to execute arbitrary code in kernel mode. Authentication is not required, so a remote attacker can trigger the vulnerability by sending crafted SMB packets, gaining remote code execution with elevated privileges and potentially compromising the device and any connected systems.

Affected Systems

All Sonos Era 300 smart speakers run on firmware that processes SMB responses. The vulnerability exists in any current firmware version from the product’s launch until a vendor patch is applied; no specific firmware range is published.

Risk and Exploitability

With a CVSS base score of 9.8 the flaw is considered critical. The EPSS score is 1 %—a low yet nonzero chance of exploitation. The vulnerability is not listed in the CISA KEV catalogue. Attackers can exploit it via network SMB traffic without authentication, delivering malicious payloads that execute in kernel space. This gives an attacker full control over the device. The weakness is identified as CWE‑119—Out‑of‑Bounds Write.

Generated by OpenCVE AI on April 15, 2026 at 22:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Sonos firmware update or patch for the Era 300 device to fix the DataOffset validation bug (CWE‑119).
  • If a patch is not yet available, isolate the device from untrusted networks and block or restrict SMB traffic to prevent remote exploitation.
  • Disable SMB services on the device if configuration permits or place the device on a separate, air‑gap network segment to reduce exposure.
  • Monitor network logs for anomalous SMB connections and other suspicious activity that may indicate attempts to exploit the vulnerability.

Generated by OpenCVE AI on April 15, 2026 at 22:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Sonos era 300 Firmware
CPEs cpe:2.3:h:sonos:era_300:-:*:*:*:*:*:*:*
cpe:2.3:o:sonos:era_300_firmware:*:*:*:*:*:*:*:*
Vendors & Products Sonos era 300 Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Sonos
Sonos era 300
Vendors & Products Sonos
Sonos era 300

Sat, 11 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
Description Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos Era 300. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the DataOffset field within SMB responses. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the kernel. Was ZDI-CAN-28345.
Title Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability
Weaknesses CWE-119
References
Metrics cvssV3_0

{'score': 10, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Sonos Era 300 Era 300 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-04-13T16:16:22.089Z

Reserved: 2026-03-13T20:27:19.120Z

Link: CVE-2026-4149

cve-icon Vulnrichment

Updated: 2026-04-13T16:16:18.707Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-11T01:16:16.430

Modified: 2026-04-15T12:26:48.387

Link: CVE-2026-4149

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:45:16Z

Weaknesses