CVE-2025-15645

MEDIUM EPSS 11.2%
Published May 19, 20261mo ago · Modified Jun 17, 20262w ago
5.1 CVSS 4.0
Medium
Find Similar
Published May 19, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

Ledger Nano X, Flex, and Stax devices contain a denial of service vulnerability in the MCU firmware update process due to missing validation of the reset_handler parameter during firmware flashing. An attacker can provide a crafted reset_handler address pointing to invalid memory or attacker-controlled code to cause the device to enter an unrecoverable fault state during boot, resulting in permanent loss of operability.

CVSS Details

Base Score
5.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Physical
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
11.2% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-1284

References 2

  • donjon.ledger.com https://donjon.ledger.com/lsb/021/
  • vulncheck.com https://www.vulncheck.com/advisories/ledger-nano-x-flex-stax-mcu-firmware-update-denial-of-service

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.