CVE-2026-4149
Published: 11 April 2026
Summary
CVE-2026-4149 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Sonos Era 300 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
This vulnerability is an out-of-bounds memory access flaw in the Sonos Era 300 smart speaker that leads to remote code execution. It resides in the handling of the DataOffset field inside inbound SMB responses, where insufficient validation of attacker-supplied values permits access beyond the end of an allocated buffer. The resulting memory corruption occurs in kernel context and carries a CVSS 3.1 score of 9.8.
Remote, unauthenticated attackers can send a crafted SMB response to an affected device and achieve arbitrary code execution without user interaction. The attack requires only network adjacency to the target and exploits the device’s SMB client implementation directly.
The issue was reported as ZDI-CAN-28345 and is covered by Zero Day Initiative advisory ZDI-26-192. No additional mitigation details are supplied in the available reference.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21627
Vulnerability details
Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos Era 300. Authentication is not required to exploit this vulnerability. The specific flaw exists within…
more
the handling of the DataOffset field within SMB responses. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the kernel. Was ZDI-CAN-28345.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote, unauthenticated attackers to achieve kernel-level RCE by sending crafted SMB responses to the public-facing Sonos Era 300 speaker service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the DataOffset field in SMB responses, which is the precise flaw enabling out-of-bounds access.
Enforces memory-protection mechanisms that block exploitation of the out-of-bounds read/write leading to kernel RCE.
Restricts inbound SMB traffic from untrusted adjacent networks, reducing the attack surface for unauthenticated crafted responses.