PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-15645 Ledger CVE debrief

CVE-2025-15645 describes a denial-of-service issue in the MCU firmware update process for Ledger Nano X, Flex, and Stax devices. The reported problem is missing validation of the reset_handler parameter during firmware flashing. According to the source description, a crafted reset_handler address can point to invalid memory or attacker-controlled code and trigger an unrecoverable fault state during boot, which can permanently stop the device from operating. NVD lists the record as deferred and the CVSS severity as Medium (5.1).

Vendor
Ledger
Product
Ledger Nano X
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-20
Advisory published
2026-05-19
Advisory updated
2026-05-20

Who should care

Owners and operators of Ledger Nano X, Flex, and Stax devices, especially anyone responsible for firmware update handling, device fleet management, or hardware wallet recovery planning.

Technical summary

The vulnerability is tied to the boot-time path used after MCU firmware flashing. The source corpus says the reset_handler parameter is not properly validated, so a maliciously crafted value can redirect execution to invalid memory or attacker-controlled code. The result is a fault during boot that the source describes as unrecoverable and potentially permanent loss of operability. The record is associated with CWE-1284 in the NVD metadata and has CVSS v4.0 vector indicating physical attack conditions and high availability impact.

Defensive priority

Medium. The issue is not described as enabling data theft or remote compromise, but it can render affected hardware unusable if the firmware update process is abused.

Recommended defensive actions

  • Review whether any affected Ledger Nano X, Flex, or Stax devices are exposed to untrusted firmware flashing workflows.
  • Restrict firmware update access to trusted administrative processes and verified update sources.
  • Track vendor guidance from the referenced Ledger disclosure and the associated VulnCheck advisory for remediation or mitigations.
  • Plan for device recovery or replacement procedures in case a device enters an unrecoverable boot fault state.
  • Update asset inventories and support documentation so teams can quickly identify affected hardware models and firmware-update dependencies.

Evidence notes

The CVE description explicitly states that Ledger Nano X, Flex, and Stax devices contain a denial-of-service vulnerability in the MCU firmware update process due to missing validation of the reset_handler parameter during firmware flashing. It also states that a crafted reset_handler address can cause an unrecoverable fault state during boot and permanent loss of operability. NVD metadata marks the record as Deferred and associates it with CWE-1284. Published and modified timestamps in the supplied timeline are 2026-05-19T22:16:36.187Z and 2026-05-20T14:16:36.080Z, respectively.

Official resources

Publicly disclosed in the supplied source corpus with CVE published at 2026-05-19T22:16:36.187Z and modified at 2026-05-20T14:16:36.080Z. No exploitation details are included here.