Description
ESPHome is a system to control microcontrollers remotely through Home Automation systems. In versions 2025.9.0 through 2025.12.6, an integer overflow in the API component's protobuf decoder allows denial-of-service attacks when API encryption is not used. The bounds check `ptr + field_length > end` in `components/api/proto.cpp` can overflow when a malicious client sends a large `field_length` value. This affects all ESPHome device platforms (ESP32, ESP8266, RP2040, LibreTiny). The overflow bypasses the out-of-bounds check, causing the device to read invalid memory and crash. When using the plaintext API protocol, this attack can be performed without authentication. When noise encryption is enabled, knowledge of the encryption key is required. Users should upgrade to ESPHome 2025.12.7 or later to receive a patch, enable API encryption with a unique key per device, and follow the Security Best Practices.
Published: 2026-01-19
Score: 1.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability is an integer overflow in the ESPHome API component’s protobuf decoder that allows an attacker to send a very large field_length value. The bounds check can wrap around, letting the decoder read beyond its intended buffer and ultimately crash the device. The flaw appears only when the plaintext API protocol is used, meaning the attacker does not need to authenticate. The result is a crash that denies service to the microcontroller until it is restarted, impacting availability but not confidentiality or integrity.

Affected Systems

All ESPHome device platforms are affected by this flaw. The issue exists in releases from 2025.9.0 through 2025.12.6, and it impacts hardware that runs ESPHome firmware on ESP32, ESP8266, RP2040, and LibreTiny boards.

Risk and Exploitability

The CVSS score is 1.7, indicating a low severity, and the EPSS score is less than 1%, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalogue. The attack vector is inferred to be a remote attacker sending malformed API requests over the network to the device; the plaintext API permits unauthenticated exploitation, while the encrypted API requires knowledge of the shared key. An exploit will crash the device until it is restarted, so the overall risk is modest but remediation is recommended to maintain uptime.

Generated by OpenCVE AI on April 18, 2026 at 05:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ESPHome to version 2025.12.7 or newer to apply the patch that fixes the integer overflow in proto.cpp.
  • If an update cannot be applied immediately, enable the API encryption feature and configure a unique encryption key per device; this prevents unauthenticated clients from triggering the attack.
  • Disable the API component on devices that do not need remote control or restrict access to trusted networks or authenticated clients.

Generated by OpenCVE AI on April 18, 2026 at 05:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4h3h-63v6-88qx ESPHome vulnerable to denial-of-service via out-of-bounds check bypass in the API component
History

Wed, 04 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:esphome:esphome:*:*:*:*:*:*:*:*

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Esphome
Esphome esphome
Vendors & Products Esphome
Esphome esphome

Mon, 19 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description ESPHome is a system to control microcontrollers remotely through Home Automation systems. In versions 2025.9.0 through 2025.12.6, an integer overflow in the API component's protobuf decoder allows denial-of-service attacks when API encryption is not used. The bounds check `ptr + field_length > end` in `components/api/proto.cpp` can overflow when a malicious client sends a large `field_length` value. This affects all ESPHome device platforms (ESP32, ESP8266, RP2040, LibreTiny). The overflow bypasses the out-of-bounds check, causing the device to read invalid memory and crash. When using the plaintext API protocol, this attack can be performed without authentication. When noise encryption is enabled, knowledge of the encryption key is required. Users should upgrade to ESPHome 2025.12.7 or later to receive a patch, enable API encryption with a unique key per device, and follow the Security Best Practices.
Title ESPHome vulnerable to denial-of-service via out-of-bounds check bypass in the API component
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Esphome Esphome
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T21:39:18.848Z

Reserved: 2026-01-16T15:46:40.841Z

Link: CVE-2026-23833

cve-icon Vulnrichment

Updated: 2026-01-20T21:39:15.831Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T18:16:06.007

Modified: 2026-03-04T15:02:35.963

Link: CVE-2026-23833

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-19T17:58:50Z

Links: CVE-2026-23833 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:15:15Z

Weaknesses