CVE-2025-15645
MCU Firmware Update DoS in Ledger Nano X, Flex, and Stax
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ledger | ledger_nano_x | * |
| ledger | ledger_stax | * |
| ledger | ledger_flex | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a denial of service by permanently bricking affected Ledger devices, resulting in loss of device operability.
The impact is limited to device operability and does not affect client funds or data confidentiality.
There is no information provided about effects on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a denial of service condition triggered during the MCU firmware update process on Ledger Nano X, Flex, and Stax devices by providing a crafted reset_handler address. Detection would primarily involve monitoring firmware update attempts and verifying the integrity and validity of the reset_handler parameter during the flashing process.
Since the vulnerability is specific to the firmware update process and the device entering an unrecoverable fault state during boot, detection on a network or system level would be challenging without device-specific diagnostic tools.
No specific commands or network detection methods are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating affected Ledger devices to the fixed firmware versions where the vulnerability has been addressed.
- Ledger Nano X to version 2.4.2 or later
- Ledger Flex to version 1.2.2 or later
- Ledger Stax to version 1.6.2 or later
Avoid performing firmware updates from untrusted sources or using unverified update files to prevent exploitation of the reset_handler parameter.
Can you explain this vulnerability to me?
This vulnerability affects Ledger Nano X, Flex, and Stax devices. It is a denial of service issue in the MCU firmware update process caused by missing validation of the reset_handler parameter during firmware flashing.
An attacker can supply a crafted reset_handler address that points to invalid memory or attacker-controlled code, causing the device to enter an unrecoverable fault state during boot.
As a result, the device becomes permanently inoperable.
How can this vulnerability impact me? :
This vulnerability can cause your Ledger device to become permanently unusable.
If exploited, the device will enter an unrecoverable fault state during boot, resulting in a permanent denial of service.
This means you would lose access to the device and any functionality it provides.