Meta had a bad Friday morning. A major Meta outage knocked out Facebook, Instagram, WhatsApp, and Messenger for users around the world, starting shortly before 10am ET. By midday it was recovering, unevenly, region by region.

The trouble appeared to begin on WhatsApp, then spread. Facebook users were abruptly logged out, met with a “Query Error” or a “Sorry, something went wrong” message, and unable to log back in. Others could open the app but not post, comment, react, search, or load Stories and Marketplace.

What Down Detector shows

The outage-tracking site Down Detector logged a sharp spike. Facebook bore the brunt, with reports passing 130,000; Instagram logged around 9,500, and WhatsApp far fewer. Across all three, most people flagged problems with the app, then login.

Those numbers are self-reported, so they track complaints, not Meta’s own data. But the reports came in from far beyond the US, from the Philippines and Taiwan to Australia, Spain, and South Africa, which points to something central rather than a local glitch.

Businesses caught out

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

It was not just scrolling. Meta’s status page logged “high disruptions” across its business products, including Facebook Ads Manager, the Messenger Platform, the Messenger API for Instagram, and the WhatsApp Business Platform. Advertisers could not create or edit ads, and Meta apologised “for any inconvenience.” On a Friday, the timing stung.

Meta confirms the disruption, but not the cause

Meta acknowledged the problems on its status page, flagging “high disruptions” and saying its engineering teams were “actively looking to resolve the issue as quickly as possible.” It did not say what caused the outage, or how many users were hit.

There is no word yet on whether it was a configuration error, an infrastructure failure, or something else.

Recovery was already under way. Meta marked some services, such as ad delivery, as resolved, with others “in the process of being restored.” On the consumer side, Facebook was loading closer to normal and Down Detector reports were falling, though some users still saw an empty Stories bar, a stale feed, or a “Try Again” error.

The scale is the point: Meta’s apps reach billions, and even a couple of hours offline ripples through messaging, businesses, and logins far beyond the feed. It capped an eventful day for Meta, which this morning pledged free AI glasses to every blind US veteran. This is a developing story; we will update it with Meta’s explanation and an all-clear.

It promises to be a fantastic Friday in Toronto as FIFA World Cup 2026 co-hosts Canada open their Group B campaign against Bosnia and Herzegovina.

Jesse Marsch’s squad is packed with exciting talents ready to shine on home soil including Bayern Munich’s Alphonso Davies, Villarreal winger Tajon Buchanan and Juventus striker Jonathan David, who is Les Rouges’ all-time record goalscorer. Davies has been ruled out of the opening game after failing to recover from a hamstring injury, but the noises from the Canada camp suggest they are confident their captain will play some part in the group stage. Nevertheless, the co-hosts will be confident of securing their first-ever point – or three – at the finals against Bosnia after returning empty-handed from their previous two World Cup appearances.

from the going-great,-thanks-for-asking dept

Back in March I noted how the Trump FCC under Brendan Carr had announced a “new ban” on all routers made overseas (which is pretty much all of them). At the time we also noted how this was less of a ban and more of a shakedown, with router manufacturers required to beg the Trump FCC for conditional waivers (fees, favors, whatever) to continue doing business in the States.

Several router manufacturers (like Amazon’s Eero and Netgear) have subsequently received exemptions from the Trump administration, but because there is zero transparency to the process, we have no idea what they agreed to. Did they pay the Trump administration a bribe? Did they agree to surveillance backdoors for ICE operations? Who knows? Great stuff.

Now the cable lobby appears to be balking at the purported foreign router ban. In a petition filed with the FCC last week (spotted by Ars Technica) NCTA (The Internet & Television Association) — the cable industry’s biggest lobbying org — asked for a massive exemption from the restrictions, noting that they’re simply not practical in real-world practice:

“NCTA requests an expedited grant of this waiver to enable its members and their suppliers to navigate unavoidable supply chain shortages and prevent disruptions in the availability of broadband for NCTA members’ customers, while still fulfilling the rules’ national security and public safety purpose.”

So basically you’ve got a ban on foreign routers that is more about extortion than protecting national security. Which the cable industry says it can’t adhere to because AI hype, tariffs and unnecessary wars have driven up the costs of many internal router components, making adherence expensive if not impossible. Great stuff, very savvy policymaking by people who definitely know what they’re doing.

Part of the “foreign router ban” was supposed to involve forcing hardware manufacturing to return to the states. But because Trump and much of his administration have a fourth-grader-level understanding about how this stuff works (like his desire to suddenly have smartphones built in the U.S.), the cable industry’s filing notes that the “onshoring” of manufacturing and supply chains isn’t realistically possible either:

“Like AT&T, NCTA members are encouraging their suppliers to quickly pursue required onshoring, and, in the meantime, seek Conditional Approvals for Covered Routers as necessary. However, unavoidable supply chain shortages in critical substrate material and memory modules (including both volatile and nonvolatile memory) significantly constrain the industry. AT&T’s suppliers are not unique; the same impediments they are experiencing impose inevitable limitations on NCTA’s suppliers. Accordingly, NCTA seeks the same relief on behalf of its suppliers. Given the immediacy of these issues and the concrete harms that would result from disruptions to the availability of broadband to large swaths of US consumers and businesses, the grant of this Petition is warranted.”

These companies, many of which supported and enabled Trump, now have to pretend this all makes sense as they navigate a costly minefield of weird bullshit that won’t accomplish any of its purported goals.

This is all exceptionally chaotic and dumb, and it’s unlikely that Brendan Carr, who spends most of his time trying to censor comedians and whining about “wokeness,” is capable of managing the scale of this sort of overhaul — even if it were practical, which it isn’t.

When you read most press coverage of this router ban, they don’t really make it clear to readers that this is all very unworkable and stupid. Trump and his administration are given undeserved credit on competency and policy, as the press, companies, and policymakers all try to trip over themselves to normalize the sheer pointless stupidity and expense of it all.

If the country cared about national security we’d focus on corruption. We’d pass a meaningful modern internet privacy law. We’d shore up, staff, and properly fund cybersecurity regulators. We’d regulate data brokers. Instead we get a giant pile of unworkable extortion slop being overseen by weird zealots.

Filed Under: brendan carr, hardware, national security, onshoring, privacy, router ban, routers, telecom

Companies: ncta

OFFBEAT

It might also make Musk the world’s first trillionaire

SpaceX has priced its blockbuster initial public offering at $135 a share, raising $75 billion and valuing Elon Musk’s rocket biz at roughly $1.78 trillion.

The haul could rise to about $86 billion if underwriters exercise their option to buy more stock, making it the largest IPO in US history.

The company confirmed [PDF] that 555.6 million shares of Class A common stock were sold in the offering, with another 83.3 million available to underwriters.

SpaceX is a loss-making company. In its Form S-1, filed with the US Securities and Exchange Commission, it divided operations into Space (Falcon 9 and the like), Connectivity (Starlink), and AI. Only the Connectivity segment is turning a profit, to the tune of $4.4 billion in 2025, while the others continue to rack up losses. Making a profit from AI continues to elude many companies – SpaceX is not the only entity where investment exceeds revenue, and Starship remains a work in progress.

In the company’s Form S-1, SpaceX reported a net loss of $4.9 billion on revenue of $18.7 billion in 2025. The IPO values the company at more than 90 times that revenue.

According to The Financial Times, the IPO was heavily oversubscribed – orders exceeded the number of shares on offer by more than three times. Retail investors also ordered more than $100 billion of shares, and were allocated between 20 and 25 percent of the shares sold.

The record-breaking IPO reflects investor appetite for AI-related companies, as well as a bet that SpaceX’s estimate of a $28.5 trillion total addressable market, including $22.7 trillion in “Enterprise Applications,” proves realistic.

Skeptics may recall that promises and assurances associated with Elon Musk rarely survive contact with reality.

We will update when trading kicks off today. Depending on how trading goes, Musk could be a paper trillionaire by the end of the day, thanks to his shares in SpaceX. That figure could climb further if SpaceX ever delivers on its more ambitious plans, from a human settlement on Mars to space-based datacenters.

Musk may also be in line for a vast Tesla payout if the carmaker hits targets including a sharp rise in valuation and the delivery of a million robots over the next decade. ®

Supply chain attacks continue, with Microsoft’s own open source Azure repositories being automatically disabled by GitHub following a compromise of the packages by the Miasma worm.

OpenSourceMalware reports that the infection resulted in 73 Microsoft-related package repositories being flagged and taken offline in a little over a minute by the GitHub automated security system, with over 40 repositories being related to Azure and the rest distributed across the Microsoft organization.

The center of the infection appears to be the Microsoft Durabletask package, which was previously compromised in May and used to push infected packages to PyPi. Considering that all of the supply chain worms also steal credentials for every service they can find in the build or developer environment they infect, it seems likely that credentials stolen in the original attack were never properly disabled.

Disabling the repositories can help stem the infected packages and GitHub actions from spreading and infecting more organizations, but of course any build processes depending on those packages will not function. In May, the Durabletask package showed over 400,000 downloads per month.

The OpenSourceMalware report includes a full list of the impacted repositories.

Microsoft Fixes GitHub Token Exploit

Microsoft has finally fixed a bug in GitHub which could steal a GitHub authentication token with access to all of an accounts repositories via the embedded web-based VSCode editor which is part of GitHub itself.

Ammar Askar discovered the bug and discusses it on their blog; by manipulating the sandboxed VS Code into treating an embedded web view as user keyboard strokes, it is possible to to cause it to install a VS Code extension which is then used to exfiltrate the GitHub authentication tokens of the user using the embedded VS Code instance.

TP-Link Taeover via Unregistered Domain

Julian B demonstrates capturing traffic from TP-Link routers and access points thanks to an unregistered domain name in the firmware.

After finding an archive of the firmware releases for every TP-Link product, Julian simplified the list to the latest versions, and ran a custom scraper tool to extract domain names referenced in the firmware and search for matching domain names.

After registering an available domain, Julian began receiving requests from TP-Link devices checking in to a server which had lapsed, likely years ago. Fortunately, Julian reported the issue to TP-Link and was able to transfer the domain.

It’s unclear what the risks of the unregistered domain name were in the context of the TP-Link devices, however unregistered domain names can lead to all sorts of issues in the wrong situations.

A Pile of OpenSSL Vulns

The OpenSSL library has a new collection of vulnerabilities which range from low-severity flaws in message verification in functions which aren’t used in any of the OpenSSL implemented protocols to a high-severity use-after-free bug in PKCS7 handling which could be used to run arbitrary code.

Use-after-free bugs occur when a chunk of memory is dynamically allocated, then freed and returned to the memory pool, but a later piece of code re-uses the memory that is no longer claimed. In the meantime, this memory could have been assigned to another variable or otherwise restructured, leading to memory corruption. In the case of OpenSSL, the memory associated with a PKCS7 container (a certificate storage method) or a S/MIME message (usually used in secure email) can be manipulated into using freed memory.

The advisory warns that applications processing PKCS7 or S/MIME are affected; fortunately most uses of OpenSSL are unlikely to be directly impacted (neither of those functions are common in web servers or similar), but as always, update as soon as possible!

NightmareEclipse is Back

The researcher previously identified as NightmareEclipse, known for releasing advanced Windows vulnerabilities with working proof of concept code, has returned as MSNightmare releasing several new exploits after previously being removed from GitHub. Despite a strongly worded (and poorly received) public statement by Microsoft threatening criminal investigations, the researcher returns with the RoguePlanet vulnerability.

RoguePlanet exploits race conditions in Windows Defender under Windows 10 and Windows 11 to gain a system-level shell, a fairly common trend in the vulnerabilities found by this researcher.

Additionally, another BitLocker bypass has been released, called GreatXML, which unlocks BitLocker protected drives if a Windows Defender offline scan has ever been run.

Of course, these releases coincide with Patch Tuesday, so they’re unlikely to be addressed before the July patch day.

It appears Microsoft has backed down from their initial press release which appeared to claim that vulnerability research and development outside of the guidelines Microsoft decided would be treated as criminal behavior; this was not well received by much of the security industry. At the start of the modern security industry in the late 1990s, public release of vulnerabilities was common. Companies had no way to reach a security contact to get it fixed, simply did not care to fix it, or were actively hostile to researchers. Through years and decades of community programs, it is now normal to reach out to a company with security flaws and have an expectation they will be fixed, and often rewarded either monetarily through structured bounty programs like HackerOne or through public credit to the researchers who found the flaws (nobody wants to be paid in exposure, but security is now an industry, and having a well-known name and track record can be valuable.)

Unfortunately, recently, it seems Microsoft may have forgotten that while disclosure to the vendor has become the norm, it is simply a social contract. Having already publicly alienated one skilled researcher (NightmareEclipse), the company seems to be doing the best it can to alienate others by burning community good will. Expect more publicly released vulnerabilities in the wake.

Linux Arm Fixes

Phoronix reports that the Linux kernel has patched a critical-severity flaw on Arm CPUs in the memory allocation logic. The list of processors affected continues to grow, including some NVIDIA embedded platforms.

The flaw lies in specific ordering requirements for accessing memory via the TLB, or “Translation Lookaside Buffer”, a critical part of the virtual memory and memory protection system. The TLB is a cache of recently resolved lookups of physical memory locations, so any corruption of the TLB can cause invalid memory reads, leading to almost the same results as recent kernel vulnerabilities in the Linux page cache system which allowed binaries to be replaced in RAM.

The bug was found thanks to advisories from Arm themselves clarifying that additional protections were needed around modifications to the TLB cache on these chips. The real-world impact remains to be seen, but now that the bug and patches are public, I’d expect proof of concept code to follow soon after. It’s also safe to assume that this flaw affects other operating systems on Arm platforms, as well, but there is no public information yet.

FreeBSD Gets a Page-Cache Bug

FreeBSD racks up another kernel bug this week, the amusingly named Bumsrakete (“Bum Rocket” or “Bang Rocket”), complete with a well-crafted troll of an announcement, right down to the use of Comic Sans for the announcement site.

Beneath the crap-posting exterior lies a legitimate CVE (CVE-2026-45257) where any user with access to the PMAP_HAS_DMAP system (the standard configuration) can overwrite the disk page cache in memory. This is the FreeBSD flavor of the kernel cache flaws in Linux used by CopyFail, DirtyPipe, and friends, and even involves decryption primitives in the kernel similar to the original CopyFail process.

It’s not surprising that following the multiple disk cache corruption bugs in Linux disclosed this spring, other operating systems with similar functionality are being examined and new flaws showing up.

NPM to Block Auto Install Scripts

NPM is introducing major changes in NPM 12 to attempt to stem the flood of supply-chain vulnerabilities by removing the automatic execution of commands from the install phase of packages and disabling the use of remote URLs as dependencies.

Most of the NPM-based worms infecting packages at record rates use the install script process, hooking either pre-install, install, or post-install scripts to run commands automatically as a package dependency is included. Since the install script runs as the user (or build service) pulling the dependencies, it has direct access to any credentials or files that user and service has. Under the new model an infected package could still perform malicious actions inside a compiled application or site, but a major mechanism for automatic spreading of malicious packages will be addressed.

It’s good to see progress made towards addressing the underlying weaknesses in the package ecosystem which aid in spreading malicious packages.

Libinput Security Fix

The libinput library sees a pair of security fixes this week, centered around the handling of device names for uinput and uhid devices. Maliciously named devices could execute commands as root.

To be able to exploit this, a user needs to already be on the system and have the ability to create new uinput devices. This is normally restricted to root, however if steam-devices, antimicrox, or kdeconnectd packages are installed, the permissions to create a device are modified and any user logged into the system can create a uinput device.

Go forth, and update!

Mini Shai-Hulud Hides in Censorship

The Shai-Hulud, Mini Shai-Hulud, and Miasma worms have been prolifically infecting packages on NPM and PyPi as well as VS Code extensions and GitHub actions. Using a combination of captured worm code and publicly released versions of the worms, researchers have been reverse engineering the behavior of the worm using the decrypted payloads.

Amusingly, they have discovered that the Mini Shai-Hulud worm attempts to hide from automatic analysis and detection via AI prompt injection. The payload file executed during a NPM package install contains a block of comment text referencing biological and nuclear weapons, topics many AI models refuse to allow.

Interpreting the comment as a banned request, the AI models may immediately stop processing the rest of the file, either blocking further analysis by researchers or disabling AI-based malware detection tools scanning for malicious payloads.

Another Record Patch Tuesday

For the second time this year, Microsoft has a record-breaking number of fixes included in Patch Tuesday with more than 200 security fixes, including fixes for two vulnerabilities released by NightmareEcllipse in recent weeks, however none of the fixes specifically reference the conflict between Microsoft and the researcher.

Outside of the Patch Tuesday fixes, Microsoft also fixed 360 browser vulnerabilities.

With the increasing automatic bug finding via AI tools, this may become the new normal for Patch Tuesday fix counts.

Python Linter Blocks Shai-Hulud

Sometimes pedantry pays off. StepSecurity brings the tale of a supply chain infection of the popular Pythagoria-io GPT Pilot package, an AI coding assistant tool. After one of the developers was infected by the Miasma supply chain worm, the worm performed the typical trick of attempting to reversion and push compromised versions of all accessible packages.

This time, the commits containing the trojaned were rejected by the Python linter, Ruff, for not matching the style guidelines of the project. Linters analyze code for style, comments, and syntax (think the pretty printing in a code editor that highlights incorrect tabs and spaces or deprecated functions.)

The developer will still need to clean up their system and make sure to revoke all tokens the worm has access to, but the project itself was spared infection by a humble syntax styler.

Deep Dive into Miasma

Finally, we have a dive into the Miasma worm thanks to SafeDep.

The payload source for Miasma has been open sourced, apparently by some of the developers of the malware. Previously the payload was heavily encrypted, however progress was made in decoding it during the initial wave of attacks. By open sourcing the worm, the developers likely hope to muddy the waters by creating copy-cat worms using modified techniques and signatures.

SafeDep takes a deep look into the capabilities of the payload, noting several unusual abilities including disabling GitHub environment protections, a full list of the credential harvesting capabilities, and more. Be sure to check out the full write up for an extremely detailed breakdown of each major component of the worm and the actions it takes, if that sort of thing is interesting to you!

It might involve connecting a keyboard to your TV, which is as fun as it sounds.

Netflix’s apps have hidden shortcuts for quality information

Max Miller/Sony Pictures/Engadget

The nuances of video streaming quality on Netflix

Mijansk786/Shutterstock

Wharfedale’s Heritage Series tends to get the loudest applause, and that is hardly surprising. Few loudspeaker brands play the vintage card with as much credibility, and commercial success. The Denton, Super Linton, Super Denton, Denton 1S, and Dovedale have helped make old-school British loudspeaker design feel relevant again rather than merely nostalgic.

But Wharfedale’s most technically ambitious loudspeakers do not live in the Heritage Series. That role belongs to Elysian, and the new Wharfedale Elysian R Series is now positioned at the top of the food chain in terms of technology, design execution, and claimed sonic performance.

The Elysian R Series is not a ground-up replacement for the original Elysian lineup. Wharfedale describes it more as a disciplined evolution of the existing platform, with refinements to the AMT high-frequency driver, woven glass fibre matrix midrange and bass drivers, crossover network, cabinet construction, bass loading, finishes, and production tolerances.

In other words, this is Wharfedale reminding everyone that it can do more than walnut nostalgia and big boxes with wide baffles. The pipe-and-slippers crowd may want to take the night off before the AMT tweeter frightens the port.

The new range includes the Elysian 1R compact standmount, Elysian 2R reference standmount, Elysian 3R compact floorstander, Elysian 4R flagship floorstander, and Elysian CR centre channel speaker. Matching stands are available for the standmount and centre models.

Elysian R Series: What Has Changed?

Wharfedale is carrying over the basic Elysian identity but has revisited the major acoustic and mechanical elements. The headline change is the further-developed AMT, or Air Motion Transformer, high-frequency driver. Instead of a conventional dome tweeter, the AMT uses a pleated diaphragm to move air more efficiently. For the R Series, Wharfedale specifies an ultra-lightweight PET diaphragm, an enlarged high-spec design, and an acoustically damped rear chamber intended to improve openness, extension, and treble control.

The midrange and bass drivers have also been refined. Wharfedale uses proprietary woven glass fibre matrix cones, with updates to cone construction, motor systems, phase plugs, and distortion control. The midrange driver includes an aluminium ring and custom phase plug to support dispersion and linearity, while the bass units use improved motor systems, large voice coils, die-cast chassis, and aluminium demodulation rings.

Bass loading remains a major part of the Elysian formula. Wharfedale’s Slot-Loaded Profiled Port system, or SLPP, has been further optimized for the R Series. The system is designed to equalize internal and external air pressure, improve bass extension and control, reduce distortion, and make the speakers less sensitive to room placement. That last point matters, because big speakers with serious bass can become a domestic negotiation very quickly.

The crossover has also been redesigned. Wharfedale specifies high-silicon iron-cored coils for bass, air-core coils for midrange and treble, polypropylene capacitors throughout the signal path, and low-inductance resistors. The components are mounted on newly designed “direct path” PCBs intended to shorten the signal route, with LC-OFC high-purity copper cabling used between the crossover and drive units.

Cabinet Design and Finishes

The Elysian R cabinet keeps the familiar sculpted look of the original Elysian models but introduces a more contemporary visual direction. Wharfedale has replaced the previous piano lacquer black and white finishes with matte black and matte grey options, while retaining the high-gloss walnut finish that has been central to the Elysian identity.

The new finishes are joined by matte-black trims, driver detailing, and metalwork. The goal is a cleaner and more architectural look without stripping away the luxury feel. The matching stands for the Elysian 1R, Elysian 2R, and Elysian CR follow the same matte black approach.

Internally, Wharfedale uses its multi-layer PROS, or Panel Resonance Optimisation System, cabinet construction. The company says this is intended to reduce cabinet resonance and energy leakage, improving structural integrity and allowing the drivers to work with less cabinet coloration. That is the promise, anyway. The proof will be whether these speakers sound more precise than the original Elysians without losing their scale and ease.

Wharfedale Elysian 1R: Compact Standmount

The Wharfedale Elysian 1R is the entry point into the new range, although “entry point” is doing a lot of work at this level. This is a two-way standmount loudspeaker using a coated glass fibre matrix bass/midrange driver and a 27 x 90mm AMT high-frequency driver, which measures roughly 1.1 x 3.5 inches.

Wharfedale specifies 89dB sensitivity, a recommended amplifier power range of 25 to 175 watts, and a peak SPL of 108dB. Frequency response is rated at 49Hz to 22kHz, with bass extension down to 44Hz and a crossover frequency of 2.6kHz.

The cabinet volume is 21.6 litres. The Elysian 1R stands 490mm tall on its plinth, or about 19.3 inches, with a width of 263mm, or about 10.4 inches. Net weight is 15kg per speaker, or about 33.1 pounds.

Matching stands are available and measure 476mm tall, 340mm wide, and 287mm deep with badge, or about 18.7 x 13.4 x 11.3 inches.

Wharfedale Elysian 2R: Reference Standmount

The Wharfedale Elysian 2R is the larger and more ambitious standmount model in the lineup. Unlike most standmount speakers, this is a three-way design using a coated glass fibre matrix low-frequency driver, a coated glass fibre matrix midrange driver, and a 27 x 90mm AMT high-frequency driver, or roughly 1.1 x 3.5 inches.

Wharfedale rates the Elysian 2R at 89dB sensitivity, with a recommended amplifier power range of 25 to 250 watts and a peak SPL of 109dB. Frequency response is specified at 35Hz to 22kHz, with bass extension down to 28Hz.

Crossover points are 360Hz and 2.9kHz, with cabinet volumes of 17.5 litres and 43.6 litres. The Elysian 2R stands 700mm tall, or about 27.6 inches, with a width of 334mm, or about 13.1 inches.

Net weight is 30.5kg per speaker, or about 67.2 pounds, so this is not exactly a “bookshelf” speaker unless your bookshelf was built by a shipyard.

The matching Elysian 2R stands measure 428mm tall, 402mm wide, and 435mm deep with badge, or about 16.9 x 15.8 x 17.1 inches.

Wharfedale Elysian 3R: Compact Floorstander

The Wharfedale Elysian 3R is the smaller of the two floorstanding models, but it still uses a proper three-way architecture. It features two coated glass fibre matrix bass drivers, a coated glass fibre matrix midrange driver, and a 27 x 90mm AMT high-frequency driver, roughly 1.1 x 3.5 inches.

Wharfedale specifies 89dB sensitivity, a recommended amplifier power range of 30 to 200 watts, and a peak SPL of 108dB. Frequency response is rated at 44Hz to 22kHz, with bass extension down to 35Hz.

The crossover frequencies are 375Hz and 2.9kHz, with cabinet volumes of 9.4 litres and 35 litres. The Elysian 3R stands 1050mm tall on its plinth, or about 41.3 inches, with a width of 263mm, or about 10.4 inches.

Net weight is 28.45kg per speaker, or about 62.7 pounds. It is the most room-manageable floorstander in the series, offering the full AMT, dedicated midrange, and dual-bass-driver layout without the size and weight of the flagship Elysian 4R.

Wharfedale Elysian 4R: Flagship Floorstander

The Wharfedale Elysian 4R sits at the top of the range and is the largest, most sensitive, and deepest-reaching model in the new series. It is a three-way floorstanding loudspeaker using two coated glass fibre matrix bass drivers, a coated glass fibre matrix midrange driver, and a 27 x 90mm AMT high-frequency driver, or approximately 1.1 x 3.5 inches.

Wharfedale rates the Elysian 4R at 92dB sensitivity, with a recommended amplifier power range of 15 to 250 watts and a peak SPL of 110dB. Frequency response is specified at 30Hz to 22kHz, with bass extension down to 24Hz.

Crossover frequencies are 340Hz and 3.1kHz, with cabinet volumes of 38 litres and 79.4 litres. The Elysian 4R stands 1188mm tall on its plinth, or about 46.8 inches, with a width of 402mm, or about 15.8 inches.

Net weight is 49.5kg per speaker, or about 109.1 pounds. That makes it the model most likely to deliver the full Elysian R scale and low-frequency authority, but also the one that will demand the most from the room, amplifier, and the person foolish enough to move it alone.

Wharfedale Elysian CR: Centre Channel

The Wharfedale Elysian CR is the centre channel speaker in the range, designed for matching Elysian R home cinema systems. It is a three-way design using dual coated glass fibre matrix low-frequency drivers, a coated glass fibre matrix midrange driver, and a smaller 27 x 45mm AMT high-frequency driver, or roughly 1.1 x 1.8 inches.

Wharfedale specifies 91dB sensitivity, a recommended amplifier power range of 25 to 250 watts, and a peak SPL of 110dB. Frequency response is rated at 35Hz to 22kHz, with bass extension down to 27Hz.

Crossover frequencies are 360Hz and 2.9kHz, with cabinet volumes of 5.7 litres and 64 litres. The Elysian CR measures 320mm tall and 830mm wide, or about 12.6 inches tall and 32.7 inches wide.

Net weight is 30.2kg, or about 66.6 pounds. Matching stands are available and measure 496mm tall, 618mm wide, and 372mm deep with badge, or about 19.5 x 24.3 x 14.6 inches.

This is clearly not a token centre speaker added to complete the brochure; it is a large, heavy, full-range centre channel intended for serious multichannel systems.

Pricing and Availability

The Wharfedale Elysian R Series is expected to be available in June in the U.S., with five models covering both stereo and home cinema systems. UK pricing listed in the supplied Wharfedale document shows the range scheduled for April 2026 availability in that market.

The Elysian 1R Compact standmount is the entry point into the lineup. It is a two-way design priced at $5,995 per pair in the U.S. and £3,499 in the UK. The larger Elysian 2R Reference standmount moves to a three-way configuration and is priced at $8,495 per pair in the U.S. and £4,999 in the UK.

For listeners looking for floorstanding models, the Elysian 3R Compact floorstander is a three-way design priced at $9,995 per pair in the U.S. and £5,599 in the UK. The Elysian 4R Flagship floorstander sits at the top of the range and is priced at $11,995 per pair in the U.S. and £6,999 in the UK.

Wharfedale is also offering the Elysian CR Centre channel, a three-way design intended for matching home cinema systems, priced at $5,995 in the U.S. and £3,499 in the UK.

Available finishes include walnut high gloss, matte black, and lunar grey. The walnut finish preserves the more traditional luxury loudspeaker look, while matte black and lunar grey give the Elysian R Series a cleaner, more contemporary direction.

The Bottom Line

The Elysian R Series is Wharfedale’s strongest modern engineering play, not another exercise in walnut-finished nostalgia. The refinements are meaningful: upgraded AMT tweeters, revised glass fibre matrix drivers, redesigned crossovers, improved SLPP bass loading, and resonance-controlled cabinet construction.

What makes the range compelling is the value equation. With the flagship Elysian 4R priced at $11,995 per pair in the U.S. and £6,999 in the UK, Wharfedale is competing in a category where many rivals now cost three to five times more and do not always offer more speaker for the money.

The lineup is missing a dedicated subwoofer, surround speaker, and height channel option, so it is not a complete home theater ecosystem. But as a high-end stereo range with a serious matching center channel, Elysian R looks like a very strong technical and financial argument. Not cheap, but increasingly rare in 2026: expensive for a reason.

For more information:

Where to buy: