PyPI: esphome
CVE-2026-23833
Safety vulnerability ID: SFTY-20260121-50729
Safety legacy ID: pyup.io-84894
Affected versions of the esphome package are vulnerable to Denial of Service (DoS) due to an integer overflow in a protobuf decoder bounds check. The API component’s protobuf decoder in components/api/proto.cpp performs the bounds check ptr + field_length > end, which can overflow when a malicious client supplies a very large field_length, bypassing the out-of-bounds check and triggering invalid memory reads. An attacker with network access to port 6053 can exploit this by sending a crafted plaintext API message to crash and reboot the device (no authentication required when the plaintext API protocol is used, while Noise-encrypted API sessions require knowledge of the encryption key), resulting in a sustained denial of service.
Overview
ESPHome vulnerable to denial-of-service via out-of-bounds check bypass in the API component
Advisory
Affected versions of the esphome package are vulnerable to Denial of Service (DoS) due to an integer overflow in a protobuf decoder bounds check. The API component’s protobuf decoder in components/api/proto.cpp performs the bounds check ptr + field_length > end, which can overflow when a malicious client supplies a very large field_length, bypassing the out-of-bounds check and triggering invalid memory reads. An attacker with network access to port 6053 can exploit this by sending a crafted plaintext API message to crash and reboot the device (no authentication required when the plaintext API protocol is used, while Noise-encrypted API sessions require knowledge of the encryption key), resulting in a sustained denial of service.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260121-50729/CVE-2026-23833
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23833
- https://github.com/advisories/GHSA-4h3h-63v6-88qx
- https://github.com/esphome/esphome/commit/69d7b6e9210390051318bd8e6410727689de08d6
- https://github.com/esphome/esphome/security/advisories/GHSA-4h3h-63v6-88qx
- https://nvd.nist.gov/vuln/detail/CVE-2026-23833
- https://github.com/esphome/esphome/pull/13306
- https://github.com/esphome/esphome/commit/69d7b6e9210390051318bd8e6410727689de08d6
- https://esphome.io/guides/security_best_practices
- https://github.com/advisories/GHSA-4h3h-63v6-88qx
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more