17.5.1
CVE-2026-4149 describes a critical Remote Code Execution (RCE) vulnerability discovered in the Sonos Era 300 smart speaker. This flaw allows an attacker to execute arbitrary code on the device without authentication. The vulnerability affects devices running firmware versions 17.5–17.5 (build 91.0-70070), and a patch is expected to be released by Sonos. Successful exploitation could grant an attacker complete control over the affected Sonos device.
The impact of CVE-2026-4149 is severe due to the RCE nature of the vulnerability and the lack of authentication required for exploitation. An attacker within network range of a vulnerable Sonos Era 300 can leverage this flaw to execute arbitrary code within the device's kernel. This could lead to complete device compromise, including data theft (potentially including user credentials stored locally), unauthorized access to the home network, and the installation of malware. The absence of authentication significantly lowers the barrier to entry for attackers, making this a high-priority vulnerability to address. The vulnerability stems from improper validation of the DataOffset field within SMB responses, allowing for out-of-bounds memory access.
CVE-2026-4149 was disclosed on 2026-04-11. It is tracked by ZDI and assigned a CVSS score of 10 (CRITICAL). Public proof-of-concept (PoC) code is currently unavailable, but the vulnerability's severity and ease of exploitation suggest a high probability of exploitation. It is recommended to monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Exploit Status
EPSS
1.22% (79% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4149 is to upgrade the Sonos Era 300 firmware to the patched version as soon as it becomes available from Sonos. Until the patch is applied, consider segmenting the Sonos device from your primary home network to limit the potential blast radius of a successful attack. Network-based intrusion detection systems (IDS) should be configured to monitor for suspicious SMB traffic targeting Sonos devices. While a direct WAF rule is unlikely to be effective, monitoring for unusual network activity originating from the Sonos device is recommended. After upgrading, confirm the successful update by checking the device's firmware version in the Sonos app.
Update the Sonos Era 300 device to the latest firmware version provided by Sonos. This update addresses the out-of-bounds access vulnerability in SMB responses, preventing arbitrary code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4149 is a critical Remote Code Execution vulnerability affecting Sonos Era 300 devices. It allows attackers to execute code without authentication due to improper SMB response handling.
You are affected if your Sonos Era 300 is running firmware version 17.5–17.5 (build 91.0-70070). Check your device's firmware version in the Sonos app.
Upgrade your Sonos Era 300 firmware to the latest available version as soon as it is released by Sonos. Monitor Sonos's website for updates.
While no public exploits are currently available, the vulnerability's severity and ease of exploitation suggest a high probability of future exploitation. Monitor security advisories.
Refer to the official Sonos security advisory on their website: [https://www.sonos.com/en-us/support/security/security-advisories](https://www.sonos.com/en-us/support/security/security-advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.