CVE-2022-24049
Published: 18 February 2022
Summary
CVE-2022-24049 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Sonos S1. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
This vulnerability is a stack-based buffer overflow in the ALAC audio codec used by Sonos One speakers. It affects S2 systems prior to version 3.4.1 and S1 systems prior to version 11.2.13 build 57923290. The flaw (CWE-121 and CWE-787) stems from missing validation of the length of attacker-supplied data before it is copied into a fixed-size buffer on the stack, enabling out-of-bounds writes. The issue carries a CVSS 3.1 score of 9.8.
Remote attackers can exploit the vulnerability without authentication by sending a crafted audio stream to an affected device. Successful exploitation grants arbitrary code execution in the context of the root user, allowing full control of the speaker.
The Zero Day Initiative advisory ZDI-22-261, which assigned the identifier ZDI-CAN-15798, identifies the affected Sonos firmware versions and indicates that the vendor has released updates to version 3.4.1 (S2) and 11.2.13 build 57923290 (S1) to address the issue. The EPSS score has remained flat at 0.3796 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-28964
Vulnerability details
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos One Speaker prior to 3.4.1 (S2 systems) and 11.2.13 build 57923290 (S1 systems). Authentication is not required to exploit this vulnerability. The specific flaw exists within…
more
the ALAC audio codec. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15798.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.