Description
Ledger Bitcoin app versions 2.1.0 and 2.1.1 contain an address derivation vulnerability that allows attackers to cause incorrect Bitcoin addresses to be displayed by exploiting improper handling of miniscript policies containing the a: fragment. Attackers can craft malicious miniscript policies that cause the device to derive and display incorrect receiving addresses, potentially leading to funds being sent to unintended addresses.
Published: 2026-05-20
Score: 4.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ledger Bitcoin app versions 2.1.0 and 2.1.1 allow an attacker to supply a malformed miniscript policy containing the a: fragment that causes the device to derive and present an incorrect receiving Bitcoin address. The vulnerability is a consequence of improper handling of miniscript policies and is classified as CWE-682. If an attacker can influence the policy, they may trick a user into sending funds to a wrong address, leading to potential loss of cryptocurrency.

Affected Systems

The affected system is the Ledger Bitcoin app running on Ledger hardware wallets. Versions 2.1.0 and 2.1.1 of the app are impacted. No other versions, vendors, or platforms are listed as affected in the advisory.

Risk and Exploitability

The CVSS score of 4.1 indicates moderate severity, and the EPSS score is not available, so there is no publicly documented estimation of exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been reported as actively exploited. Attackers would need to persuade a user to load a crafted miniscript policy, a scenario that may occur if the user accepts a malicious transaction proposal. The lack of a remote code execution vector limits the impact to incorrect address generation, but the financial consequences can be significant if the user blindly trusts the displayed address.

Generated by OpenCVE AI on May 20, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ledger Bitcoin app to the latest released version that resolves the address derivation bug
  • Until a fix is available, avoid using miniscript policies that include the a: fragment or any complex miniscript on the device
  • Verify that the device shows the expected receiving address by testing a small, non‑critical transaction to a known safe address before sending valuable funds

Generated by OpenCVE AI on May 20, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Ledger Bitcoin app versions 2.1.0 and 2.1.1 contain an address derivation vulnerability that allows attackers to cause incorrect Bitcoin addresses to be displayed by exploiting improper handling of miniscript policies containing the a: fragment. Attackers can craft malicious miniscript policies that cause the device to derive and display incorrect receiving addresses, potentially leading to funds being sent to unintended addresses.
Title Ledger Bitcoin App 2.1.0 Address Derivation Error via Miniscript
Weaknesses CWE-682
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 4.1, 'vector': 'CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-20T15:31:29.002Z

Reserved: 2026-05-20T13:07:44.334Z

Link: CVE-2023-7346

cve-icon Vulnrichment

Updated: 2026-05-20T15:31:21.532Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T16:16:23.770

Modified: 2026-05-20T17:33:05.830

Link: CVE-2023-7346

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T16:30:14Z

Weaknesses