SCA: security update for esphome (GHSA-4h3h-63v6-88qx)

medium Tenable Self-Hosted Container Security Plugin ID 436850

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- ESPHome is a system to control microcontrollers remotely through Home Automation systems. In versions
2025.9.0 through 2025.12.6, an integer overflow in the API component's protobuf decoder allows denial-of-
service attacks when API encryption is not used. The bounds check `ptr + field_length > end` in
`components/api/proto.cpp` can overflow when a malicious client sends a large `field_length` value. This
affects all ESPHome device platforms (ESP32, ESP8266, RP2040, LibreTiny). The overflow bypasses the out-
of-bounds check, causing the device to read invalid memory and crash. When using the plaintext API
protocol, this attack can be performed without authentication. When noise encryption is enabled, knowledge
of the encryption key is required. Users should upgrade to ESPHome 2025.12.7 or later to receive a patch,
enable API encryption with a unique key per device, and follow the Security Best Practices.
(CVE-2026-23833)

See Also

https://github.com/advisories/GHSA-4h3h-63v6-88qx

Plugin Details

Severity: Medium

ID: 436850

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 1/21/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-23833

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Threat Score: 1.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/21/2026

Vulnerability Publication Date: 1/19/2026

Reference Information

CVE: CVE-2026-23833

cwe: CWE-190