PT-2026-42182 · Ledger · Bitcoin App

Antoine Poinsot

+2

·

Published

2026-05-20

·

Updated

2026-05-20

·

CVE-2023-7346

CVSS v3.1

4.0

Medium

VectorAV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Ledger Bitcoin app versions 2.1.0 through 2.1.1
Description An address derivation issue exists due to the improper handling of miniscript policies containing the a: fragment. Attackers can craft malicious miniscript policies that cause the device to derive and display incorrect receiving addresses, which could lead to funds being sent to unintended addresses.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2023-7346

Affected Products

Bitcoin App