Integer Parsing Vulnerability in Ledger Live by Ledger
CVE-2023-7345

6.9MEDIUM

Key Information:

Vendor: Ledger
Status: Ledgerhq/hw-app-eth; Ledger Live
Vendor: CVE Published:; 19 May 2026

What is CVE-2023-7345?

Ledger Live, the proprietary cryptocurrency management software by Ledger, suffers from an integer parsing vulnerability in versions prior to 6.34.7. This flaw occurs in the generation of EIP-712 typed data messages, where incorrect handling of hexadecimal field parsing in scenarios involving odd-length values can lead to exploitation. Attackers can leverage this vulnerability to manipulate message values, enabling the signing of truncated or misinterpreted data. Such unauthorized signatures may result in unintended blockchain transactions, including asset transfers that could compromise user funds.

Affected Version(s)

Ledger Live 0 < 2.70.0

ledgerhq/hw-app-eth 0 < 6.34.7

References

https://donjon.ledger.com/lsb/020/

vendor-advisory

https://www.vulncheck.com/advisories/ledger-live-hw-app-e...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
May 19, 2026

Credit

Ian Fisher

VulnCheck

CVE-2023-7345 Data

JSON