EUVD-2025-209901
GHSA-jj3m-33jh-v459
CVSS VectorNVD
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionNVD
Ledger Nano X, Flex, and Stax devices contain a denial of service vulnerability in the MCU firmware update process due to missing validation of the reset_handler parameter during firmware flashing. An attacker can provide a crafted reset_handler address pointing to invalid memory or attacker-controlled code to cause the device to enter an unrecoverable fault state during boot, resulting in permanent loss of operability.
AnalysisAI
Permanent denial of service in Ledger Nano X, Flex, and Stax hardware cryptocurrency wallets allows a physically present attacker to irreversibly brick the device by supplying a crafted reset_handler address during MCU firmware flashing. The firmware update process accepts attacker-controlled pointer values without bounds checking or range validation, causing the MCU to dereference an invalid instruction pointer at boot and enter an unrecoverable hardware fault state. No public exploit code is identified at time of analysis and the device is not listed in the CISA KEV catalog; the CVSS 4.0 score of 5.1 (Medium) reflects the mandatory physical access requirement, which substantially constrains the attacker population but does not diminish the severity of permanent device loss for affected users.
Technical ContextAI
Ledger Nano X, Flex, and Stax are ARM-based hardware wallets whose MCU (Microcontroller Unit) firmware is updatable via a host-connected flashing interface. The reset_handler is a vector table entry - a pointer stored in the MCU's firmware image that the hardware dereferences immediately after reset to locate the first instruction of the firmware. CWE-1284 (Improper Validation of Specified Quantity in Input) describes the root cause: the firmware flashing routine accepts this pointer value from the image without validating that it falls within a legitimate executable memory region. A crafted image embedding an out-of-bounds or attacker-controlled reset_handler address causes a hard fault exception during the very first boot cycle after flashing, before any recovery mechanism can execute, making the fault state unrecoverable by design of the MCU exception model. No CPE strings were provided in the available data, so exact affected firmware version identifiers must be obtained from the Ledger security bulletin.
RemediationAI
The primary remediation is to apply the firmware update issued by Ledger, details and download links for which are published at https://www.ledger.com/security-bulletin. An exact patched firmware version number is not independently confirmed from the available intelligence data - users should consult the bulletin directly to identify the minimum safe version for each device model. As a compensating control, enforce strict physical security of all Ledger devices: do not leave devices unattended in environments where untrusted parties could connect them to a host and initiate firmware operations. Purchasing devices exclusively through Ledger's official channels or authorized resellers reduces supply chain interception risk; users should verify the device's cryptographic attestation at first boot to detect pre-delivery tampering. For enterprise deployments managing multiple hardware wallets, implement chain-of-custody logging for device handling. Note that firmware downgrade restrictions, if enforced by the device, may limit an attacker's ability to re-flash a patched device with a vulnerable image - verify with Ledger whether anti-rollback protections are present.
Share
External POC / Exploit Code
Leaving vuln.today