PatchSiren cyber security CVE debrief
CVE-2023-7346 Ledger CVE debrief
CVE-2023-7346 describes an address-derivation flaw in Ledger Bitcoin app versions 2.1.0 and 2.1.1. A maliciously crafted Miniscript policy containing the a: fragment can cause the device to derive and display an incorrect receiving Bitcoin address, creating a risk that funds are sent to the wrong destination. The supplied CVE record rates the issue Medium (CVSS 4.1), and the NVD entry cites Ledger’s disclosure page and a VulnCheck advisory as references.
- Vendor
- Ledger
- Product
- Ledger Bitcoin app
- CVSS
- MEDIUM 4.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
Bitcoin users and operators using Ledger Bitcoin app 2.1.0 or 2.1.1, especially anyone who relies on on-device address display to confirm receiving addresses. Security teams supporting wallet operations, transaction approval workflows, or Miniscript-based policy use should also review exposure.
Technical summary
The issue is an address derivation and display mismatch triggered by improper handling of Miniscript policies that include the a: fragment. According to the supplied description, an attacker can craft a malicious policy that leads the device to compute and show the wrong receiving address. The practical impact is not code execution; it is potential misdirection of funds to an unintended Bitcoin address if the displayed address is trusted during payment setup. The NVD record associates the issue with CWE-682 and lists a Medium CVSS 4.1 rating.
Defensive priority
Medium — prioritize remediation for any environment using Ledger Bitcoin app 2.1.0 or 2.1.1 and any workflow that accepts or processes Miniscript policies.
Recommended defensive actions
- Identify whether Ledger Bitcoin app 2.1.0 or 2.1.1 is in use anywhere in your environment.
- Treat Miniscript policies from untrusted or externally supplied sources as high risk until confirmed against vendor guidance.
- Verify receiving addresses through a second trusted channel before sending funds, especially for policy-driven or advanced wallet setups.
- Follow the Ledger advisory reference and any updated vendor guidance before approving new receiving-address workflows.
- Retest wallet workflows after updating to a version that addresses the issue, and document any controls used to prevent address spoofing or policy manipulation.
Evidence notes
This debrief is based only on the supplied CVE description, the supplied NVD metadata, and the referenced official URLs. The NVD entry for CVE-2023-7346 is marked vulnStatus Deferred and lists two references: Ledger’s donjon advisory page and a VulnCheck advisory. The supplied data also identifies CWE-682 and a CVSS v4.0 vector with a Medium score of 4.1. Vendor attribution in the supplied enrichment is low-confidence, so this summary stays scoped to the Ledger Bitcoin app description provided in the source corpus.
Official resources
Publicly disclosed in the supplied CVE record on 2026-05-20. NVD metadata in the provided corpus shows the entry as Deferred. This debrief uses only the supplied record and referenced official URLs.