Sonos speakers: Another Pwn2Own loophole plugged

At the Pwn2Own competition in Dublin last December, participants discovered several security vulnerabilities in Sonos speaker systems. Now, the Zero Day Initiative (ZDI) and Sonos have jointly published information on another vulnerability.

In the ZDI security notice, the authors state that attackers can execute arbitrary code on affected Sonos Era 300 speakers from the network. Prior authentication is not required.

Problem during data processing

The problem occurs when processing prepared ALAC data (Apple Lossless Audio Codec). The cause is an insufficient length check of transferred data before a copy process on a heap-based buffer. The injected code runs in the context of the anacapa user account (CVE-2025-1051 / EUVD-2025-16688, CVSS 8.8, risk “high”).

In the security advisory, the authors do not discuss how attackers can deliberately inject such manipulated ALAC data into the targeted Sonos system. The vulnerability closes the player software release v16.6 (build 83.1-61240) or newer, which has been available for several months. A separate announcement from Sonos is still pending.

At the end of April, Sonos issued its security release on the information published jointly with the ZDI on four other Pwn2Own vulnerabilities. This made it clear that, in addition to the software version for the Era 300 speakers, updates were also required for other systems, such as those in the S1 series, as these were also vulnerable. The update to version Release v11.15.1 (Build 57.22-61162) or newer is available for these systems, which fixes the vulnerabilities mentioned there. However, it is unclear whether this also applies to the vulnerability that has now been reported.

(dmk)