Architecture & Boundary Mismatch in Hybrid Firmware Environments: A Post-Mortem

A post-mortem analysis of a critical out-of-bounds memory vulnerability discovered in hardware wallet firmware using a hybrid Python/C architecture. The flaw stems from a mismatch between the high-level Python parser (which permits BIP32 derivation paths up to 32 indices) and the underlying C struct (which enforces a fixed buffer of 8 indices). The full 11-step architectural trace shows how an unbounded path parsed from PSBT or UR payloads propagates through multiple layers — PSBT key decoder, UR registry parser, transaction builder, signer, and HAL wrapper — without any boundary check, ultimately triggering an unconstrained memory read/write against the fixed BIP32Node structure. The fix requires centralized boundary sanitization at the cross-language boundary before memory transfers occur. The vendor was notified 72 hours before publication.