Cyber Resilience

CVE-2022-24049

Critical

Published: 18 February 2022

Published
18 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3796 97.3th percentile
Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24049 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Sonos S1. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

This vulnerability is a stack-based buffer overflow in the ALAC audio codec used by Sonos One speakers. It affects S2 systems prior to version 3.4.1 and S1 systems prior to version 11.2.13 build 57923290. The flaw (CWE-121 and CWE-787) stems from missing validation of the length of attacker-supplied data before it is copied into a fixed-size buffer on the stack, enabling out-of-bounds writes. The issue carries a CVSS 3.1 score of 9.8.

Remote attackers can exploit the vulnerability without authentication by sending a crafted audio stream to an affected device. Successful exploitation grants arbitrary code execution in the context of the root user, allowing full control of the speaker.

The Zero Day Initiative advisory ZDI-22-261, which assigned the identifier ZDI-CAN-15798, identifies the affected Sonos firmware versions and indicates that the vendor has released updates to version 3.4.1 (S2) and 11.2.13 build 57923290 (S1) to address the issue. The EPSS score has remained flat at 0.3796 with no material increase since disclosure.

EU & UK References

Vulnerability details

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos One Speaker prior to 3.4.1 (S2 systems) and 11.2.13 build 57923290 (S1 systems). Authentication is not required to exploit this vulnerability. The specific flaw exists within…

more

the ALAC audio codec. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15798.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sonos
s1
≤ 11.2.13
sonos
s2
≤ 3.4.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References