Cyber Resilience

CVE-2026-4149

Critical

Published: 11 April 2026

Published
11 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0100 58.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-4149 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Sonos Era 300 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

This vulnerability is an out-of-bounds memory access flaw in the Sonos Era 300 smart speaker that leads to remote code execution. It resides in the handling of the DataOffset field inside inbound SMB responses, where insufficient validation of attacker-supplied values permits access beyond the end of an allocated buffer. The resulting memory corruption occurs in kernel context and carries a CVSS 3.1 score of 9.8.

Remote, unauthenticated attackers can send a crafted SMB response to an affected device and achieve arbitrary code execution without user interaction. The attack requires only network adjacency to the target and exploits the device’s SMB client implementation directly.

The issue was reported as ZDI-CAN-28345 and is covered by Zero Day Initiative advisory ZDI-26-192. No additional mitigation details are supplied in the available reference.

EU & UK References

Vulnerability details

Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos Era 300. Authentication is not required to exploit this vulnerability. The specific flaw exists within…

more

the handling of the DataOffset field within SMB responses. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the kernel. Was ZDI-CAN-28345.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote, unauthenticated attackers to achieve kernel-level RCE by sending crafted SMB responses to the public-facing Sonos Era 300 speaker service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-14572Shared CWE-119
CVE-2025-33077Shared CWE-119
CVE-2025-30437Shared CWE-119
CVE-2022-38693Shared CWE-119
CVE-2025-7775Shared CWE-119
CVE-2025-33076Shared CWE-119
CVE-2026-6775Shared CWE-119
CVE-2025-7776Shared CWE-119
CVE-2026-39892Shared CWE-119
CVE-2025-9246Shared CWE-119

Affected Assets

sonos
era 300 firmware
≤ 83.1-61240

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the DataOffset field in SMB responses, which is the precise flaw enabling out-of-bounds access.

prevent

Enforces memory-protection mechanisms that block exploitation of the out-of-bounds read/write leading to kernel RCE.

prevent

Restricts inbound SMB traffic from untrusted adjacent networks, reducing the attack surface for unauthenticated crafted responses.

References