CVE-2026-23833

Name of the Vulnerable Software and Affected Versions ESPHome versions 2025.9.0 through 2025.12.6

Description ESPHome is a system for remote microcontroller control via Home Automation systems. An integer overflow in the API component’s protobuf decoder can lead to denial-of-service attacks when API encryption is not used. The check ptr + field length > end within components/api/proto.cpp is susceptible to overflow if a malicious client transmits a large field length value. This impacts all ESPHome device platforms, including ESP32, ESP8266, RP2040, and LibreTiny. The overflow circumvents the bounds check, resulting in the device reading invalid memory and crashing. Exploitation via the plaintext API protocol does not require authentication, while noise encryption requires knowledge of the encryption key.

Recommendations Upgrade to ESPHome version 2025.12.7 or later. Enable API encryption with a unique key per device. Follow ESPHome Security Best Practices.