CVE-2026-23833

High

Published: 19 January 2026

Published

19 January 2026

Modified

04 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0008 23.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23833 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Esphome Esphome. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Remote unauthenticated exploitation of public-facing API component (protobuf decoder) directly enables T1190; integer overflow resulting in device crash maps to T1499.004 for application/system exploitation causing DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

ESPHome is a system to control microcontrollers remotely through Home Automation systems. In versions 2025.9.0 through 2025.12.6, an integer overflow in the API component's protobuf decoder allows denial-of-service attacks when API encryption is not used. The bounds check `ptr +…

field_length > end` in `components/api/proto.cpp` can overflow when a malicious client sends a large `field_length` value. This affects all ESPHome device platforms (ESP32, ESP8266, RP2040, LibreTiny). The overflow bypasses the out-of-bounds check, causing the device to read invalid memory and crash. When using the plaintext API protocol, this attack can be performed without authentication. When noise encryption is enabled, knowledge of the encryption key is required. Users should upgrade to ESPHome 2025.12.7 or later to receive a patch, enable API encryption with a unique key per device, and follow the Security Best Practices.

Deeper analysisAI

CVE-2026-23833 is an integer overflow vulnerability (CWE-190) in the protobuf decoder of ESPHome's API component, affecting versions 2025.9.0 through 2025.12.6. The issue occurs in the bounds check `ptr + field_length > end` within `components/api/proto.cpp`, where a large `field_length` value supplied by a malicious client causes an overflow. This bypasses the out-of-bounds protection, leading the device to read invalid memory and crash. The vulnerability impacts all ESPHome-supported platforms, including ESP32, ESP8266, RP2040, and LibreTiny.

Any network-accessible attacker can exploit this vulnerability to cause a denial-of-service (DoS) condition. When the plaintext API protocol is used, no authentication is required, allowing unauthenticated remote exploitation over the network. If noise encryption is enabled on the API, the attacker must possess the encryption key to craft and send the malicious payload. Successful exploitation results in device crashes with high availability impact, as scored by CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

ESPHome advisories recommend upgrading to version 2025.12.7 or later, where the patch addresses the overflow in the protobuf decoder (see commit 69d7b6e9210390051318bd8e6410727689de08d6 and PR #13306). Additional mitigations include enabling API encryption with a unique key per device and following ESPHome's Security Best Practices guide. The GitHub security advisory (GHSA-4h3h-63v6-88qx) provides full details on the issue and fixes.