CVE-2025-15645 MEDIUM

CVE-2025-15645: Ledger Nano X, Flex, Stax MCU Firmware Update Denial of Service

Vendor Ledger
Product Ledger Nano X
Weakness CWE-1284
Published May 19, 2026
Last update May 20, 2026

CVSS base score

4.6/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Ledger Nano X, Flex, and Stax devices contain a denial of service vulnerability in the MCU firmware update process due to missing validation of the reset_handler parameter during firmware flashing. An attacker can provide a crafted reset_handler address pointing to invalid memory or attacker-controlled code to cause the device to enter an unrecoverable fault state during boot, resulting in permanent loss of operability.

Key dates

02Disclosure timeline

May 19, 2026 CVE published
May 20, 2026 Record updated