CVE-2026-23833 – An integer overflow vulnerability in ESPHome's ... (How to Fix)

Q: What is the severity of CVE-2026-23833?

CVE-2026-23833 has a CVSS score of 7.5 (HIGH). An integer overflow vulnerability in ESPHome's API protobuf decoder allows denial-of-service attacks when API encryption is disabled. Malicious clients can send specially crafted messages that bypass bounds checking, causing devices to read invalid memory and crash. This affects all ESPHome device platforms (ESP32, ESP8266, RP2040, LibreTiny) running versions 2025.9.0 through 2025.12.6.

📋 TL;DR

An integer overflow vulnerability in ESPHome's API protobuf decoder allows denial-of-service attacks when API encryption is disabled. Malicious clients can send specially crafted messages that bypass bounds checking, causing devices to read invalid memory and crash. This affects all ESPHome device platforms (ESP32, ESP8266, RP2040, LibreTiny) running versions 2025.9.0 through 2025.12.6.

💻 Affected Systems

Products:

ESPHome

Versions: 2025.9.0 through 2025.12.6

Operating Systems: All ESPHome-supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All ESPHome device platforms are affected: ESP32, ESP8266, RP2040, LibreTiny. Vulnerability is exploitable when API encryption is disabled (plaintext API protocol).

📦 What is this software?

Esphome by Esphome

View all CVEs affecting Esphome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial-of-service rendering ESPHome devices completely inoperable, requiring physical reset or reflashing to recover functionality.

🟠

Likely Case

Temporary device crashes requiring reboot, disrupting home automation functionality until devices restart.

🟢

If Mitigated

No impact when API encryption with unique keys is properly configured, as exploitation requires knowledge of the encryption key.

🌐 Internet-Facing: HIGH if devices are exposed to the internet with plaintext API protocol enabled, as attacks can be performed without authentication.

🏢 Internal Only: MEDIUM for internal networks, as attackers would need network access but no authentication when plaintext API is used.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a malicious protobuf message with a large field_length value. When API encryption is disabled, no authentication is required. The vulnerability is well-documented in the advisory with technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ESPHome 2025.12.7 or later

Vendor Advisory: https://github.com/esphome/esphome/security/advisories/GHSA-4h3h-63v6-88qx

Restart Required: Yes

Instructions:

1. Update ESPHome to version 2025.12.7 or later. 2. Recompile and reflash all affected devices. 3. Enable API encryption with unique keys per device. 4. Follow ESPHome security best practices.

🔧 Temporary Workarounds

Enable API Encryption

all

Enable Noise encryption for API communication, which requires attackers to know the encryption key to exploit the vulnerability.

# In ESPHome configuration YAML:
api:
  encryption:
    key: "YOUR_UNIQUE_ENCRYPTION_KEY"

Disable API Interface

all

Completely disable the API interface if not required, removing the attack surface entirely.

# In ESPHome configuration YAML:
# Remove or comment out the entire 'api:' section

🧯 If You Can't Patch

Enable API encryption with strong, unique keys for every device immediately
Isolate ESPHome devices on separate network segments with strict firewall rules

🔍 How to Verify

Check if Vulnerable:

Check ESPHome version in device logs or via Home Assistant integration. Versions 2025.9.0 through 2025.12.6 are vulnerable.

Check Version:

# Check ESPHome version in logs or via: esphome version

Verify Fix Applied:

Verify ESPHome version is 2025.12.7 or later and confirm API encryption is enabled with unique keys.

📡 Detection & Monitoring

Log Indicators:

Device crashes or reboots without apparent cause
Memory access violation errors in logs
API connection failures

Network Indicators:

Unusual API traffic patterns to ESPHome devices
Large protobuf messages sent to device API ports

SIEM Query:

source="esphome" AND ("crash" OR "reboot" OR "memory" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2026-23833

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-190

EPSS Score: 0.12% exploit probability (30.6th percentile)

Published: January 19, 2026

Last Updated: March 4, 2026

🔗 References

https://esphome.io/guides/security_best_practices Technical Description
https://github.com/esphome/esphome/commit/69d7b6e9210390051318bd8e6410727689de08d6 Patch
https://github.com/esphome/esphome/pull/13306 Issue Tracking,Patch
https://github.com/esphome/esphome/security/advisories/GHSA-4h3h-63v6-88qx Mitigation,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23833, you might also want to check these: