CVE-2026-4149: Sonos Era 300 Unauthenticated Remote Code Execution
A critical zero-authentication remote code execution vulnerability tracked as CVE-2026-4149 has been disclosed in the Sonos Era 300 smart speaker. The flaw resides in how the device processes SMB (Server Message Block) responses and allows a remote attacker to execute arbitrary code at the kernel privilege level without any authentication or user interaction.
The vulnerability was published on April 11, 2026 and assigned a maximum CVSS v3.0 score of 10.0 (Critical). It was discovered and reported to Sonos through the Zero Day Initiative (ZDI) under advisory ZDI-26-192 (internal tracking ZDI-CAN-28345). No patch has been confirmed by Sonos at the time of disclosure.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-4149 |
| ZDI Advisory | ZDI-26-192 |
| CVSS Score | 10.0 (Critical) |
| CVSS Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CWE Classification | CWE-119 — Improper Restriction of Operations within Bounds of a Memory Buffer |
| Affected Component | SMB response handler — DataOffset field validation |
| Attack Vector | Network (remote) |
| Authentication Required | None |
| User Interaction Required | None |
| Primary Impact | Arbitrary code execution at kernel level |
| Patch Available | Not confirmed at time of disclosure |
Affected Products
| Product | Status |
|---|---|
| Sonos Era 300 | Vulnerable (all firmware through v92.0-72171) |
No other Era-series or Sonos models have been confirmed affected at time of writing. The most recent firmware release prior to disclosure (version 92.0-72171, released January 6, 2026) covers Era 100, Move 2, Sub 4, and Arc Ultra but does not address this vulnerability.
Technical Details
Root Cause
The vulnerability exists in the Sonos Era 300's handling of SMB responses. The device fails to properly validate the DataOffset field within incoming SMB response packets. This missing validation is the sole technical guard protecting a memory copy operation — without it, a remote attacker can supply a malformed DataOffset value that triggers an out-of-bounds memory access.
The malformed value causes the device to read and/or write memory outside the bounds of an allocated buffer. This memory corruption is exploitable to redirect program execution flow, resulting in arbitrary code execution at the kernel privilege level.
Attack Path
Remote attacker sends crafted SMB response
→ Sonos Era 300 processes incoming SMB response
→ DataOffset field in SMB response NOT validated
→ Out-of-bounds memory access triggered
→ Memory corruption enables code execution
→ Arbitrary code execution at kernel level (no auth required)
Attack Characteristics
This vulnerability represents the worst-case attack profile for a consumer IoT device:
- Zero authentication — any device on the same network segment (or exposed to the internet) can trigger the flaw
- Zero user interaction — no physical access, button presses, or user-side interaction required
- Zero-click — the exploit fires passively as the speaker processes network SMB traffic
- Kernel-level code execution — compromised device gives the attacker the highest available privilege level
- Network reachable — attack works over standard TCP/IP networking
CVSS Breakdown
| Metric | Value | Justification |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over the network |
| Attack Complexity | Low | No special conditions or race conditions required |
| Privileges Required | None | No account or credentials needed |
| User Interaction | None | No action required from device owner |
| Scope | Changed | Impact crosses privilege/trust boundaries |
| Confidentiality Impact | High | Full system compromise |
| Integrity Impact | High | Full system compromise |
| Availability Impact | High | Full system compromise |
| Base Score | 10.0 Critical | Maximum possible score |
Impact Assessment
| Impact Area | Description |
|---|---|
| Immediate Exploitation Risk | A network-adjacent attacker can fully compromise the device with a single crafted packet |
| Persistence | Kernel-level access enables persistent implants, backdoors, and traffic interception |
| Network Pivoting | Compromised speaker can serve as a pivot point to attack other devices on the home or corporate network |
| Audio Surveillance | Attacker with kernel access can activate microphones and exfiltrate audio from the environment |
| Home Automation Risk | Era 300 integration with smart home systems (Sonos app, voice assistants) creates downstream compromise paths |
| Enterprise Risk | Era 300 units deployed in conference rooms represent a significant lateral movement opportunity |
Exploitation Status
- Active exploitation in the wild: Not confirmed at time of disclosure
- Public proof-of-concept (PoC): Not published at time of disclosure
- ZDI disclosure: ZDI followed coordinated disclosure procedures; the advisory was published after the standard 120-day window from the March 13, 2026 reservation date
The absence of a confirmed patch at time of ZDI publication is notable and unusual. Vendors typically have a patch ready by the time ZDI releases an advisory under coordinated disclosure.
Remediation
Official Patch
No confirmed patch version has been announced by Sonos at time of writing. Monitor Sonos release notes and the ZDI advisory page (ZDI-26-192) for updates.
Network-Level Mitigations (Apply Immediately)
Until a patch is available, these mitigations significantly reduce the attack surface:
1. Network Isolation
Place Sonos Era 300 devices on a dedicated IoT VLAN or Wi-Fi segment that cannot initiate or receive connections from untrusted networks or internet-exposed interfaces.
[Internet] → [Router/Firewall] → [IoT VLAN: 192.168.20.0/24]
└── Sonos Era 300
└── Other IoT devices
[Corporate LAN / Home Network: 192.168.1.0/24]
└── Workstations, servers, laptops
└── Firewall rule: DENY IoT VLAN ↔ Corporate LAN
2. Block SMB at the Network Perimeter
Block inbound SMB traffic (TCP port 445, TCP port 139) to the network segment containing Sonos devices:
# Example iptables rule
iptables -A FORWARD -d <sonos-subnet> -p tcp --dport 445 -j DROP
iptables -A FORWARD -d <sonos-subnet> -p tcp --dport 139 -j DROP
3. Disable Internet Exposure
Ensure Sonos devices are not directly internet-reachable. Verify that your router/firewall does not forward any ports to Sonos devices.
4. Monitor for Anomalous Traffic
Configure network monitoring to alert on unusual outbound connections from the Sonos device subnet — particularly connections to external IPs on uncommon ports, which may indicate post-exploitation activity.
Context: SMB on Smart Speakers
SMB (Server Message Block) is a network file sharing protocol traditionally associated with Windows environments. Its presence in a consumer smart speaker may seem unexpected — however, Sonos devices use SMB to support media library indexing from network-attached storage (NAS) and shared folders on home networks. This functionality expands the device's attack surface beyond typical IoT Wi-Fi protocols to include infrastructure-grade network protocols with historically significant vulnerability histories (EternalBlue, WannaCry, etc.).
The combination of a consumer IoT device, SMB implementation, and a CVSS 10 unauthenticated RCE represents a convergence of risk categories that security teams should treat as high priority.
Key Takeaways
- CVE-2026-4149 is a CVSS 10 critical unauthenticated RCE in the Sonos Era 300, exploitable over the network with no user interaction
- The flaw is in the SMB response handler's DataOffset validation — a missing bounds check enables kernel-level memory corruption
- No patch has been confirmed by Sonos at time of ZDI disclosure on April 11, 2026
- Immediate mitigations include VLAN isolation, blocking SMB ports to the device subnet, and disabling direct internet exposure
- Conference room and enterprise deployments of Era 300 are at elevated risk due to network proximity to sensitive infrastructure
- Monitor ZDI-26-192 and Sonos release notes for patch availability