CVE-2026-4149

Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability

Assigner: zdi
Reserved: 13.03.2026 Published: 11.04.2026 Updated: 11.04.2026

Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos Era 300. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of the DataOffset field within SMB responses. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the kernel. Was ZDI-CAN-28345.

Metrics

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 10

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.0

Product Status

Vendor	Sonos
Product	Era 300
Versions	Default: unknown Version 17.5 (build 91.0-70070) is affected

Vendor

Sonos

Product

Era 300

Versions

Default: unknown

Version 17.5 (build 91.0-70070) is affected

References

Problem Types

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE

CVE-2026-4149 PUBLISHED

Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability

Metrics

Product Status

References

Problem Types