← back
CVE-2023-27892

CVE-2023-27892

CVSS 3.8 LOWEPSS 0.5%CWE-120
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 3.8EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
02 May 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Insufficient length checks in the ShapeShift KeepKey hardware wallet firmware before 7.7.0 allow a global buffer overflow via crafted messages. Flaws in cf_confirmExecTx() in ethereum_contracts.c can be used to reveal arbitrary microcontroller memory on the device screen or crash the device. With physical access to a PIN-unlocked device, attackers can extract the BIP39 mnemonic secret from the hardware wallet.
CVSS:3.1/AC:H/AV:P/A:N/C:H/I:N/PR:H/S:U/UI:N
Affected products
n/a · n/a