VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 19, 2026· Updated May 20, 2026

CVE-2023-7345

CVE-2023-7345

Description

Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting incorrect hexadecimal field parsing when values contain an odd number of characters. Attackers can obtain signatures on truncated or misinterpreted message values to authorize unintended blockchain transactions, such as asset transfers at incorrect amounts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Integer parsing flaw in ledgerhq/hw-app-eth <6.34.7 allows attackers to manipulate EIP-712 messages by truncating hex values, leading to unintended blockchain transactions.

Vulnerability

A integer parsing vulnerability exists in the ledgerhq/hw-app-eth library used by Ledger Live when handling EIP-712 typed data messages. The flaw occurs when a hexadecimal integer field contains an odd number of characters, causing the value to be truncated (e.g., 0x123 becomes 0x12). This affects versions of ledgerhq/hw-app-eth prior to 6.34.7 and Ledger Live prior to 2.70.0 [1][2].

Exploitation

An attacker can craft a malicious EIP-712 message with an integer field containing an odd-length hex string. A victim using a vulnerable version of Ledger Live with a Ledger device must be tricked into signing the message (user interaction required). When the victim signs, the resulting signature applies to the truncated value rather than the intended one [1].

Impact

Successful exploitation allows the attacker to obtain a valid signature on a manipulated message. This signature can be used to authorize unintended blockchain transactions, such as transferring assets at incorrect amounts, potentially leading to financial loss [1][2].

Mitigation

The vulnerability is fixed in ledgerhq/hw-app-eth version 6.34.7, which is included in Ledger Live 2.70.0. Users should update to these versions to mitigate the issue [1]. No workarounds have been disclosed.

References
  1. Ledger Security Bulletin 020 | Ledger Donjon
  2. Ledger Live hw-app-eth EIP-712 Message Parsing Integer Truncation

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.