Guanxing Wen

**Name of the Vulnerable Software and Affected Versions** Ledger Nano X (affected versions not specified) Ledger Flex (affected versions not specified) Ledger Stax (affected versions not specified) **Description** A denial of service issue exists in the MCU firmware update process. The flaw is caused by missing validation of the `reset handler` parameter during firmware flashing. An attacker can provide a crafted `reset handler` address that points to invalid memory or attacker-controlled code, causing the device to enter an unrecoverable fault state during boot and resulting in permanent loss of operability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PCRE versions prior to 8.38 **Description** The issue is related to a heap-based buffer overflow in the `find fixedlength` function, which can be triggered by a crafted regular expression with an excess closing parenthesis. This can cause a denial of service (crash) or allow remote attackers to obtain sensitive information from heap memory, potentially bypassing the ASLR protection mechanism. **Recommendations** For versions prior to 8.38, update to version 8.38 or later to resolve the issue. As a temporary workaround, consider restricting the use of crafted regular expressions to minimize the risk of exploitation.