Ledger Nano X, Flex, Stax MCU Firmware Update Denial of Service

Advisories

Ledger Nano X, Flex, Stax MCU Firmware Update Denial of Service

severity: medium
date: 5/19/2026
Affecting: Ledger Nano X < 2.4.2
Ledger Flex < 1.2.2
Ledger Stax < 1.6.2
CVE: CVE-2025-15645
CWE: CWE-1284 Improper Validation of Specified Quantity in Input
CVSS: 5.7
CVSS V4 Vector: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References: Ledger Security Bulletin 021
Credit: Guanxing Wen, VulnCheck
Description: Ledger Nano X, Flex, and Stax devices contain a denial of service vulnerability in the MCU firmware update process due to missing validation of the reset_handler parameter during firmware flashing. An attacker can provide a crafted reset_handler address pointing to invalid memory or attacker-controlled code to cause the device to enter an unrecoverable fault state during boot, resulting in permanent loss of operability.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo