CVE-2023-7346 describes an address-derivation flaw in Ledger Bitcoin app versions 2.1.0 and 2.1.1. A maliciously crafted Miniscript policy containing the a: fragment can cause the device to derive and display an incorrect receiving Bitcoin address, creating a risk that funds are sent to the wrong destination. The supplied CVE record rates the issue Medium (CVSS 4.1), and the NVD entry cites Ledger’s discl [truncated]
CVE-2025-15645 describes a denial-of-service issue in the MCU firmware update process for Ledger Nano X, Flex, and Stax devices. The reported problem is missing validation of the reset_handler parameter during firmware flashing. According to the source description, a crafted reset_handler address can point to invalid memory or attacker-controlled code and trigger an unrecoverable fault state during boot, [truncated]
CVE-2023-7345 describes an integer parsing flaw in Ledger Live integrations using ledgerhq/hw-app-eth before 6.34.7. When EIP-712 typed data contains an odd number of hexadecimal characters, fields may be truncated or misinterpreted, which can lead users to sign unintended blockchain transaction data. The supplied NVD record lists the issue as Deferred and references a Ledger disclosure page plus a VulnCh [truncated]