CVE-2026-23833

ESPHome CVE-2026-23833: An integer overflow in the API component protobuf decoder (bounds check ptr + field_length in components/api/proto.cpp) allows denial-of-service by sending a large field_length. Affects ESPHome versions 2025.9.0–2025.12.6 across all supported devices (ESP32/ESP8266/RP2040/...