CVE-2022-24049

Name of the Vulnerable Software and Affected Versions Sonos One Speaker versions prior to 3.4.1 (S2 systems) Sonos One Speaker versions prior to 11.2.13 build 57923290 (S1 systems)

Description This issue allows remote attackers to execute arbitrary code on affected installations. Authentication is not required to exploit this issue. The specific flaw exists within the ALAC audio codec, resulting from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this issue to execute code in the context of root.

Recommendations For versions prior to 3.4.1 (S2 systems), update to version 3.4.1 or later. For versions prior to 11.2.13 build 57923290 (S1 systems), update to version 11.2.13 build 57923290 or later. As a temporary workaround, consider disabling the ALAC audio codec until a patch is available.