Security Advisory: 2026-0001

Advisory ID: SSA-2026-0001
Severity: High
Issue Date: 2026-03-25
CVE(s): CVE-2026-4149

Synopsis: Recent software update addresses security vulnerability in SMB protocol (CVE-2026-4149)

1. Impacted Products

• All S2 Systems.
• Affected versions: All releases prior to Sonos Systems release v17.7 (build 92.0-72171)

2. Introduction
One vulnerability reported by security researchers through the security competition Pwn2Own 2025. Update is available to remediate the vulnerability in affected Sonos systems.

3. SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability (CVE-2026-4149)
Description: A vulnerability exists in the SMB protocol client implementation within Sonos S2 systems which allows an attacker to force a protocol downgrade to a vulnerable version. This vulnerability does not affect Sonos S1 systems.
Known Attack Vectors: A malicious actor on the same local network could send a specially crafted SMB response to the device potentially leading to arbitrary code execution. This issue is limited in scope and does not affect users unless a malicious actor gains access to their local network environment.
Resolution: To remediate CVE-2026-4149 apply the Sonos Systems Update v17.7 (build 92.0-72171) or later.

Additional Documentation: None

Acknowledgments: Sonos would like to thank STAR Labs SG Pte. Ltd and Zero Day Initiative for their responsible disclosure by reporting this issue to us.