CVE-2026-23833 Overview
ESPHome, a popular system for controlling microcontrollers remotely through Home Automation systems, contains an integer overflow vulnerability in its API component's protobuf decoder. This flaw exists in versions 2025.9.0 through 2025.12.6 and enables denial-of-service attacks when API encryption is not enabled. The vulnerability stems from an improper bounds check in components/api/proto.cpp that can be bypassed through arithmetic overflow.
Critical Impact
Unauthenticated attackers can crash ESPHome devices across all supported platforms (ESP32, ESP8266, RP2040, LibreTiny) by sending maliciously crafted protobuf messages that trigger invalid memory reads.
Affected Products
- ESPHome versions 2025.9.0 through 2025.12.6
- ESP32, ESP8266, RP2040, and LibreTiny device platforms
- Devices with plaintext API protocol (no noise encryption enabled)
Discovery Timeline
- 2026-01-19 - CVE CVE-2026-23833 published to NVD
- 2026-01-19 - Last updated in NVD database
Technical Details for CVE-2026-23833
Vulnerability Analysis
This vulnerability is classified as CWE-190 (Integer Overflow or Wraparound). The core issue lies in the protobuf decoder implementation within the ESPHome API component. When processing incoming protobuf messages, the decoder performs a bounds check using the expression ptr + field_length > end. However, this check is susceptible to integer overflow when a malicious client supplies an excessively large field_length value.
When the field_length is large enough, adding it to the current pointer value causes arithmetic overflow, wrapping the result to a small value. This corrupted value then passes the bounds check, allowing the decoder to proceed with reading memory far beyond the legitimate buffer boundaries. The resulting out-of-bounds memory access causes the device to crash.
The attack surface is particularly concerning because when using the plaintext API protocol (the default configuration), this attack can be executed without any authentication. Devices with noise encryption enabled require knowledge of the encryption key to exploit this vulnerability.
Root Cause
The root cause is an unsafe integer arithmetic operation in the protobuf decoder's bounds validation logic located in components/api/proto.cpp. The expression ptr + field_length > end does not account for the possibility of integer overflow when field_length contains a maliciously large value. This allows the sum to wrap around, producing a smaller value that incorrectly passes the bounds check and permits unauthorized memory access.
Attack Vector
The attack is network-based and can be performed remotely. An attacker with network access to an ESPHome device's API port can craft a malicious protobuf message containing an oversized field_length field. When the vulnerable device processes this message:
- The attacker sends a crafted protobuf message to the device's API endpoint
- The decoder reads the malicious field_length value
- The bounds check calculation (ptr + field_length) overflows to a small value
- The check passes incorrectly, allowing the decoder to continue
- The device attempts to read memory at invalid addresses
- The invalid memory access causes the device to crash, resulting in denial of service
When the plaintext API protocol is in use, this entire attack sequence requires no authentication. Devices protected by noise encryption would require the attacker to possess the encryption key.
Detection Methods for CVE-2026-23833
Indicators of Compromise
- Unexpected device reboots or crashes without apparent cause
- Network traffic containing abnormally large protobuf field length values targeting ESPHome API ports
- Repeated connection attempts to ESPHome devices from unknown IP addresses
- Device logs showing memory access violations or crash dumps prior to reboot
Detection Strategies
- Monitor network traffic for malformed protobuf messages with unusually large length fields targeting IoT devices
- Implement intrusion detection rules to identify potential overflow attempts in protobuf-encoded traffic
- Track device uptime metrics and alert on unexpected restarts of ESPHome devices
- Review ESPHome device logs for memory-related errors or crash indicators
Monitoring Recommendations
- Enable logging on ESPHome devices to capture crash events and connection attempts
- Deploy network monitoring to detect anomalous traffic patterns targeting IoT device ports
- Implement alerting for devices that go offline unexpectedly or experience repeated crashes
- Monitor for scanning activity targeting common ESPHome API ports across your network
How to Mitigate CVE-2026-23833
Immediate Actions Required
- Upgrade all ESPHome devices to version 2025.12.7 or later immediately
- Enable API encryption with noise using a unique key per device
- Review the ESPHome Security Best Practices documentation
- Restrict network access to ESPHome devices to trusted networks and IP addresses only
Patch Information
ESPHome has released version 2025.12.7 which addresses this integer overflow vulnerability. The fix is documented in Pull Request #13306, and the specific patch can be reviewed in commit 69d7b6e. Users should update their ESPHome installation and reflash all affected devices with the patched firmware. For complete technical details, refer to the GitHub Security Advisory GHSA-4h3h-63v6-88qx.
Workarounds
- Enable noise encryption on all ESPHome devices to require authentication for API access
- Isolate ESPHome devices on a separate network segment with restricted access
- Implement firewall rules to limit API port access to known Home Automation system IP addresses only
- Disable the native API component if not required and use alternative communication methods
# ESPHome configuration with encryption enabled
api:
encryption:
key: "your-unique-32-byte-base64-encoded-key"
# Restrict to specific IP ranges if possible
services: []
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
