Primary

Context

Ledger Live and hw-app-eth Integer Parsing Vulnerability in EIP-712 Message Handling

Vulnerability

Patched

An integer parsing vulnerability has been identified in Ledger Live versions prior to 2.70.0, specifically within the ledgerhq/hw-app-eth package in versions prior to 6.34.7. This vulnerability allows attackers to manipulate EIP-712 typed data messages by exploiting incorrect parsing of hexadecimal fields when values have an odd number of characters. As a result, attackers can obtain signatures on truncated or misinterpreted message values, leading to unauthorized blockchain transactions, such as asset transfers for incorrect amounts.

Impact

Exploitation of this vulnerability could result in unauthorized blockchain transactions, allowing for asset transfers at incorrect amounts.

Added: May 19, 2026, 10:25 PM

Updated: May 19, 2026, 10:25 PM

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

2.5

exploitability

4.2

remediation

7.7

relevance

8.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

2.5

exploitability

4.2

remediation

7.7

relevance

8.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Ledger Live and hw-app-eth Integer Parsing Vulnerability in EIP-712 Message Handling

Vulnerability

Impact

Affected Products

Ledger Live

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating