CVE-2020-6861

Published: May 6, 2020Modified: Jun 17, 2026

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

A flawed protocol design in the Ledger Monero app before 1.5.1 for Ledger Nano and Ledger S devices allows a local attacker to extract the master spending key by sending crafted messages to this app selected on a PIN-entered Ledger connected to a host PC.

Affected (1)

Products: Ledger: Monero

1 product

Configuration A

1 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Ledger Monero	Before 1.5.1

Running on/with	Platform Versions
Ledger Nano S	All versions
Ledger Nano X	All versions

Related CWEs

Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

References (4)

https://deadcode.me/blog/2020/04/25/Ledger-Monero-app-spend-key-extraction.html

Source: cve@mitre.org

ExploitThird Party Advisory

https://donjon.ledger.com/lsb/008/

Source: cve@mitre.org

ExploitVendor Advisory

https://deadcode.me/blog/2020/04/25/Ledger-Monero-app-spend-key-extraction.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://donjon.ledger.com/lsb/008/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

Timeline

No history available yet.