Ledger Bitcoin app versions 2.1.0 and 2.1.1 contain an address derivation vulnerability that allows attackers to cause incorrect Bitcoin addresses to…
The Ledger Bitcoin app has a vulnerability that allows attackers to display incorrect Bitcoin addresses, potentially leading to funds being sent to unintended addresses. This is due to improper handling of miniscript policies containing the a: fragment. Attackers can exploit this by crafting malicious miniscript policies.
Ledger Bitcoin app versions 2.1.0 and 2.1.1 contain an address derivation vulnerability that allows attackers to cause incorrect Bitcoin addresses to be displayed by exploiting improper handling of miniscript policies containing the a: fragment. Attackers can craft malicious miniscript policies that cause the device to derive and display incorrect receiving addresses, potentially leading to funds being sent to unintended addresses.
Users of the Ledger Bitcoin app versions 2.1.0 and 2.1.1 are at risk of having their funds sent to unintended addresses.
Monitor & Review
Low severity — keep this CVE on your radar and patch during routine maintenance.
What should I do?
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
0
Affected Products
2
References
CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Exploitability
Impact