Critical RCE Vulnerability in Sonos Era 300 Speakers Allows Unauthenticated Kernel-Level Code Execution

A critical remote code execution vulnerability has been disclosed in Sonos Era 300 smart speakers, carrying the maximum CVSS score of 10.0. The flaw, tracked as CVE-2026-4149 and reported by researcher dmdung (@_piers2) of STAR Labs SG Pte. Ltd, allows unauthenticated attackers to execute arbitrary code in the context of the kernel, giving them complete control over the device.

The vulnerability resides in the handling of the DataOffset field within SMB responses. The issue results from a lack of proper validation of user-supplied data, which can lead to a memory access past the end of an allocated buffer. This out-of-bounds access can be triggered remotely without any authentication, making it especially dangerous for devices exposed to networks.

Sonos Era 300 is a high-end smart speaker that supports Wi-Fi, Bluetooth, and SMB file sharing for media playback. The vulnerability could be exploited by sending a specially crafted SMB response to the device, potentially allowing an attacker to execute arbitrary code at the kernel level. This could lead to full device compromise, including the ability to install malware, eavesdrop on audio, or pivot to other devices on the network.

The vulnerability was responsibly disclosed to Sonos on November 6, 2025, and a fix was released in firmware version 83.1-61240. Users are strongly advised to update their devices immediately via the Sonos app or by checking for updates in the system settings. The advisory was published on March 16, 2026, by the Zero Day Initiative as ZDI-26-192.

This vulnerability highlights the growing attack surface of IoT devices, particularly those that implement complex network protocols like SMB. With smart speakers becoming ubiquitous in homes and offices, the potential for remote exploitation poses significant privacy and security risks. Users should ensure their devices are updated and consider network segmentation to limit exposure.