CVE-2023-7346
Ledger Bitcoin App Address Derivation Vulnerability
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ledger | bitcoin_app | to 2.1.0 (inc) |
| ledger | bitcoin_app | to 2.1.1 (inc) |
| ledger | bitcoin_app | 2.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-682 | The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Ledger Bitcoin app versions 2.1.0 and 2.1.1 contain a vulnerability related to the improper handling of miniscript policies containing the "a:" fragment.
This flaw allows attackers to craft malicious miniscript policies that cause the device to derive and display incorrect Bitcoin receiving addresses.
As a result, users may see incorrect addresses on their device, potentially leading them to send funds to unintended recipients.
How can this vulnerability impact me? :
The vulnerability can cause your Ledger device to display incorrect Bitcoin receiving addresses when using miniscript policies with the "a:" fragment.
This means you might unknowingly send Bitcoin funds to an unintended address controlled by an attacker.
However, the practical impact is limited because most widely deployed wallet software does not fully integrate miniscript policies containing the "a:" fragment.
Additionally, the issue was fixed in version 2.1.2 of the app, and client libraries were updated to reject such policies on affected versions, reducing the risk.
To mitigate risks, it is recommended to implement robust address verification processes, such as independently comparing addresses generated by software wallets with those displayed on the hardware device.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves incorrect Bitcoin address derivation caused by improper handling of miniscript policies containing the "a:" fragment in Ledger Bitcoin app versions 2.1.0 and 2.1.1.
To detect if your system or device is affected, verify the app version on your Ledger device to see if it is 2.1.0 or 2.1.1.
Additionally, check if any miniscript policies containing the "a:" fragment are being used or processed by your wallet or client libraries.
Since the vulnerability is related to address derivation, you can compare Bitcoin addresses generated independently (e.g., via trusted software or libraries) with those displayed on the Ledger device to detect discrepancies.
No specific network or system commands are provided in the available resources to detect this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability was fixed in Ledger Bitcoin app version 2.1.2, so the immediate step is to update your Ledger Bitcoin app to version 2.1.2 or later.
Avoid using miniscript policies containing the "a:" fragment on affected app versions (2.1.0 and 2.1.1).
Client libraries for Python, JavaScript, and Rust have been updated to reject miniscript policies with the "a:" fragment on vulnerable app versions, so ensure your software wallets and client libraries are updated accordingly.
Implement robust address verification processes by independently generating and comparing Bitcoin addresses with those displayed on the hardware wallet before sending funds.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.