VYPR
Vendor

Ledger CLI

Products
1
CVEs
10
Across products
10
Status
Private

Products

1

Recent CVEs

10
  • CVE-2017-12482HigAug 4, 2017
    risk 0.51cvss 7.8epss 0.01

    The ledger::parse_date_mask_routine function in times.cc in Ledger 3.1.1 allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file.

  • CVE-2017-12481HigAug 4, 2017
    risk 0.51cvss 7.8epss 0.01

    The find_option function in option.cc in Ledger 3.1.1 allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file.

  • CVE-2017-2808HigSep 5, 2017
    risk 0.49cvss 7.5epss 0.02

    An exploitable use-after-free vulnerability exists in the account parsing component of the Ledger-CLI 3.1.1. A specially crafted ledger file can cause a use-after-free vulnerability resulting in arbitrary code execution. An attacker can convince a user to load a journal file to…

  • CVE-2017-2807HigSep 5, 2017
    risk 0.49cvss 7.5epss 0.02

    An exploitable buffer overflow vulnerability exists in the tag parsing functionality of Ledger-CLI 3.1.1. A specially crafted journal file can cause an integer underflow resulting in code execution. An attacker can construct a malicious journal file to trigger this vulnerability.

  • CVE-2023-7345MedMay 19, 2026
    risk 0.42cvss 6.5epss 0.00

    Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting incorrect hexadecimal field parsing when values contain an odd number of…

  • CVE-2025-15645MedMay 19, 2026
    risk 0.30cvss 4.6epss 0.00

    Ledger Nano X, Flex, and Stax devices contain a denial of service vulnerability in the MCU firmware update process due to missing validation of the reset_handler parameter during firmware flashing. An attacker can provide a crafted reset_handler address pointing to invalid…

  • CVE-2023-7346MedMay 20, 2026
    risk 0.26cvss 4.0epss 0.00

    Ledger Bitcoin app versions 2.1.0 and 2.1.1 contain an address derivation vulnerability that allows attackers to cause incorrect Bitcoin addresses to be displayed by exploiting improper handling of miniscript policies containing the a: fragment. Attackers can craft malicious…

  • CVE-2020-12119Jul 2, 2020
    risk 0.00cvss epss 0.00

    Ledger Live before 2.7.0 does not handle Bitcoin's Replace-By-Fee (RBF). It increases the user's balance with the value of an unconfirmed transaction as soon as it is received (before the transaction is confirmed) and does not decrease the balance when it is canceled. As a…

  • CVE-2020-6861May 6, 2020
    risk 0.00cvss epss 0.00

    A flawed protocol design in the Ledger Monero app before 1.5.1 for Ledger Nano and Ledger S devices allows a local attacker to extract the master spending key by sending crafted messages to this app selected on a PIN-entered Ledger connected to a host PC.

  • CVE-2019-14354Aug 10, 2019
    risk 0.00cvss epss 0.00

    On Ledger Nano S and Nano X devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in…