LiveActive security incident?Get immediate response
CVE Record

CVE-2023-7346: Ledger Bitcoin App 2.1.0 Address Derivation Error via Miniscript

Ledger Bitcoin app versions 2.1.0 and 2.1.1 contain an address derivation vulnerability that allows attackers to cause incorrect Bitcoin addresses to be displayed by exploiting improper handling of miniscript policies containing the a: fragment. Attackers can craft malicious miniscript policies that cause the device to derive and display incorrect receiving addresses, potentially leading to funds being sent to unintended addresses.

MediumCVSS 4.1Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2023-7346 is a Ledger Bitcoin app flaw where certain Miniscript wallet policies can make a device show the wrong receiving address. If a user trusts that displayed address, Bitcoin could be sent to an unintended address. The issue requires a crafted policy and user action; no active exploitation is reported in the provided sources.

Executive priority

Prioritize if the organization uses Ledger devices for Bitcoin custody with Miniscript workflows. The main business risk is misdirected funds, not system compromise. For standard users without Miniscript policy use, urgency appears lower but version verification is still warranted.

Technical view

The flaw is an address-derivation error in Ledger Bitcoin app handling of Miniscript policies containing the “a:” fragment. The CVSS 4.0 score is 4.1, with physical attack vector, high complexity, required attack conditions, and active user interaction. The listed weakness is CWE-682, incorrect calculation.

Likely exposure

Exposure appears limited to users or organizations using Ledger Bitcoin app versions identified in the advisories and Miniscript-based policies. The bundle mentions versions 2.1.0 and 2.1.1 in the description, but also lists 2.1.2 as affected, so confirm against Ledger’s bulletin.

Exploitation context

An attacker would need to introduce or influence a malicious Miniscript policy and get the user to rely on the resulting displayed receive address. This is not described as remote mass exploitation, and the CVE is not listed as KEV in the provided data.

Researcher notes

The provided metadata contains a version inconsistency: the narrative names 2.1.0 and 2.1.1, while the affected list also includes 2.1.2. Do not assume exploit availability or a fixed version from this bundle alone; use Ledger’s advisory as the primary source.

Mitigation direction

  • Check Ledger Security Bulletin 019 for the authoritative fixed or safe app version.
  • Update the Ledger Bitcoin app when Ledger guidance identifies a corrected release.
  • Avoid using untrusted Miniscript policies with affected Ledger Bitcoin app versions.
  • Treat unexpected receive addresses as suspicious and verify wallet policy provenance.

Validation and detection

  • Inventory Ledger devices using the Bitcoin app and record app versions.
  • Identify workflows using Miniscript policies, especially externally supplied policies.
  • Compare installed versions against Ledger Security Bulletin 019 and CVE records.
  • Review recent receiving-address generation events for policy source and user approval context.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-682: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2023-7346 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
4.1 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
3Timeline events
1ADP providers
3Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
4.1CVSS 4.0MediumCVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:NVulnCheck
4CVSS 3.1MediumCVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N0.43.6VulnCheck

Vulnerability scoring details

Base CVSS 4.0 score

4.1Medium
CVSS 4.0 vector shape for CVE-2023-7346Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LedgerLedger Bitcoin app2.1.0, 2.1.1, 2.1.2unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-682 · source CWE mapping

Incorrect Calculation

Incorrect Calculation represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.