PatchSiren cyber security CVE debrief
CVE-2023-7345 Ledger CVE debrief
CVE-2023-7345 describes an integer parsing flaw in Ledger Live integrations using ledgerhq/hw-app-eth before 6.34.7. When EIP-712 typed data contains an odd number of hexadecimal characters, fields may be truncated or misinterpreted, which can lead users to sign unintended blockchain transaction data. The supplied NVD record lists the issue as Deferred and references a Ledger disclosure page plus a VulnCheck advisory.
- Vendor
- Ledger
- Product
- ledgerhq/hw-app-eth
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Ledger Live users, developers, and operators of applications that embed or depend on ledgerhq/hw-app-eth prior to 6.34.7; teams that rely on EIP-712 typed data signing for blockchain approvals; security teams reviewing hardware-wallet transaction validation flows.
Technical summary
The vulnerability is an integer parsing / hex-field handling issue in ledgerhq/hw-app-eth prior to 6.34.7. According to the supplied description, odd-length hexadecimal values in EIP-712 typed data can be parsed incorrectly, causing the displayed or signed value to differ from the intended message. That can let an attacker obtain a signature over truncated or misread data and potentially authorize unintended transfers or other on-chain actions.
Defensive priority
Medium. The impact can be financially significant because it affects signing trust, but the issue requires user interaction and the supplied CVSS severity is medium (6.9). Prioritize remediation in any environment that uses Ledger Live or the affected library for transaction approval.
Recommended defensive actions
- Update ledgerhq/hw-app-eth to version 6.34.7 or later.
- Verify that Ledger Live and any downstream applications are not bundling a vulnerable copy of ledgerhq/hw-app-eth.
- Review lockfiles, package manifests, and supply-chain dependencies for the affected library version.
- Treat EIP-712 signing prompts with extra verification until all affected components are updated.
- If your workflow depends on hardware-wallet approvals, confirm the values shown to users are fully validated before signing.
Evidence notes
The supplied CVE description states that Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability affecting EIP-712 typed data when hexadecimal fields have an odd number of characters. The supplied NVD metadata marks the record as Deferred and cites two references: a Ledger disclosure page and a VulnCheck advisory. Timing context from the provided timeline shows the CVE published on 2026-05-19 and modified on 2026-05-20.
Official resources
Per the supplied timeline, the CVE was published on 2026-05-19 and modified on 2026-05-20. The NVD record is marked Deferred and references a Ledger disclosure page plus a VulnCheck advisory.