Ledger · Ledger Live · CVE-2020-12119
**Name of the Vulnerable Software and Affected Versions**
Ledger Live versions prior to 2.7.0
**Description**
The issue arises from the software's failure to handle Bitcoin's Replace-By-Fee (RBF) properly. It incorrectly updates the user's balance by adding the value of unconfirmed transactions as soon as they are received, without waiting for confirmation. Furthermore, it does not adjust the balance when a transaction is canceled. This exposes users to various attacks, including basic double spending attacks, amplified double spending attacks, and Denial of Service (DoS) attacks, all without the user's consent.
**Recommendations**
For versions prior to 2.7.0, update to version 2.7.0 or later to resolve the issue.