CVE-2026-23833: The 4GB Loophole in Your Light Switch
Jan 21, 2026·7 min read·6 visits
Executive Summary (TL;DR)
ESPHome, the software running on millions of DIY smart home devices, has a remote denial-of-service vulnerability. By sending a specially crafted protobuf message with a massive length field, an attacker can trigger an integer overflow during a safety check. This bypasses the buffer protection, causes the device to read invalid memory, and forces a hard crash/reboot. If you aren't using API encryption, anyone on your Wi-Fi can flicker your lights off indefinitely.
A classic integer overflow in ESPHome's API protobuf decoder allows remote attackers to crash devices by sending a malformed packet. This vulnerability highlights the dangers of pointer arithmetic in C++ on 32-bit microcontrollers.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:UAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
ESPHome ESPHome | 2025.9.0 - 2025.12.6 | 2025.12.7 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-190 |
| Attack Vector | Network (TCP/6053) |
| CVSS v4.0 | 1.7 (Official) |
| Real World Severity | Medium/High (DoS) |
| Impact | Device Crash / Boot Loop |
| Exploit Status | PoC Available |
MITRE ATT&CK Mapping
Integer Overflow or Wraparound