CVE-2025-15645
Deferred Deferred - Pending Action
MCU Firmware Update DoS in Ledger Nano X, Flex, and Stax

Publication date: 2026-05-19

Last updated on: 2026-05-20

Assigner: VulnCheck

Description
Ledger Nano X, Flex, and Stax devices contain a denial of service vulnerability in the MCU firmware update process due to missing validation of the reset_handler parameter during firmware flashing. An attacker can provide a crafted reset_handler address pointing to invalid memory or attacker-controlled code to cause the device to enter an unrecoverable fault state during boot, resulting in permanent loss of operability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2025-15645
EUVD
EUVD-2025-209901
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
ledger ledger_nano_x *
ledger ledger_stax *
ledger ledger_flex *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Ledger Nano X, Flex, and Stax devices. It is a denial of service issue in the MCU firmware update process caused by missing validation of the reset_handler parameter during firmware flashing.

An attacker can supply a crafted reset_handler address that points to invalid memory or attacker-controlled code, causing the device to enter an unrecoverable fault state during boot.

As a result, the device becomes permanently inoperable.

Impact Analysis

This vulnerability can cause your Ledger device to become permanently unusable.

If exploited, the device will enter an unrecoverable fault state during boot, resulting in a permanent denial of service.

This means you would lose access to the device and any functionality it provides.

Compliance Impact

This vulnerability causes a denial of service by permanently bricking affected Ledger devices, resulting in loss of device operability.

The impact is limited to device operability and does not affect client funds or data confidentiality.

There is no information provided about effects on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves a denial of service condition triggered during the MCU firmware update process on Ledger Nano X, Flex, and Stax devices by providing a crafted reset_handler address. Detection would primarily involve monitoring firmware update attempts and verifying the integrity and validity of the reset_handler parameter during the flashing process.

Since the vulnerability is specific to the firmware update process and the device entering an unrecoverable fault state during boot, detection on a network or system level would be challenging without device-specific diagnostic tools.

No specific commands or network detection methods are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include updating affected Ledger devices to the fixed firmware versions where the vulnerability has been addressed.

  • Ledger Nano X to version 2.4.2 or later
  • Ledger Flex to version 1.2.2 or later
  • Ledger Stax to version 1.6.2 or later

Avoid performing firmware updates from untrusted sources or using unverified update files to prevent exploitation of the reset_handler parameter.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15645. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart