ESPHome Protobuf Decoder Integer Overflow Vulnerability in API Component Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in the ESPHome API component's protobuf decoder, present in versions 2025.9.0 prior to 2025.12.6. The issue arises from an integer overflow in the bounds checking mechanism, which can be exploited by a malicious client sending a large 'field_length' value. This overflow bypasses the out-of-bounds check, causing the device to read invalid memory and crash. The vulnerability affects all ESPHome device platforms, including ESP32, ESP8266, RP2040, and LibreTiny. When the plaintext API protocol is used, the attack can be executed without authentication. Although the vulnerability can be exploited when noise encryption is enabled, this requires knowledge of the encryption key.

Impact

Exploitation of this vulnerability causes the device to crash and reboot.

Remediation

Users are advised to upgrade to ESPHome version 2025.12.7 or later, or 2026.1.0b3 or later. After upgrading, API encryption should be enabled with a unique key for each device. For more detailed guidance, refer to the ESPHome Security Best Practices.