diff --git a/esphome/components/api/api_connection.cpp b/esphome/components/api/api_connection.cpp
index 4bcb83ccb6..56a53f3673 100644
--- a/esphome/components/api/api_connection.cpp
+++ b/esphome/components/api/api_connection.cpp
@@ -1718,11 +1718,15 @@ void APIConnection::on_home_assistant_state_response(const HomeAssistantStateRes
     // Create null-terminated state for callback (parse_number needs null-termination)
     // HA state max length is 255, so 256 byte buffer covers all cases
     char state_buf[256];
-    if (msg.state_len > 0) {
-      memcpy(state_buf, msg.state, msg.state_len);
+    size_t copy_len = msg.state_len;
+    if (copy_len >= sizeof(state_buf)) {
+      copy_len = sizeof(state_buf) - 1;  // Truncate to leave space for null terminator
     }
-    state_buf[msg.state_len] = '\0';
-    it.callback(StringRef(state_buf, msg.state_len));
+    if (copy_len > 0) {
+      memcpy(state_buf, msg.state, copy_len);
+    }
+    state_buf[copy_len] = '\0';
+    it.callback(StringRef(state_buf, copy_len));
   }
 }
 #endif