Mat931

**Name of the Vulnerable Software and Affected Versions** ESPHome versions 2025.9.0 through 2025.12.6 **Description** ESPHome is a system for remote microcontroller control via Home Automation systems. An integer overflow in the API component’s protobuf decoder can lead to denial-of-service attacks when API encryption is not used. The check `ptr + field length > end` within `components/api/proto.cpp` is susceptible to overflow if a malicious client transmits a large `field length` value. This impacts all ESPHome device platforms, including ESP32, ESP8266, RP2040, and LibreTiny. The overflow circumvents the bounds check, resulting in the device reading invalid memory and crashing. Exploitation via the plaintext API protocol does not require authentication, while noise encryption requires knowledge of the encryption key. **Recommendations** Upgrade to ESPHome version 2025.12.7 or later. Enable API encryption with a unique key per device. Follow ESPHome Security Best Practices.