Blockstream Jade firmware flaw patched — upgrade to 1.0.38 now

Blockstream disclosed a critical firmware vulnerability affecting Jade hardware wallets in versions 1.0.24–1.0.36. Reported by security researchers DARKNAVY in early October, the flaw involves the CBOR register_descriptor RPC and can be triggered via the host interface (USB or Bluetooth). Malformed RPC requests can crash devices and, in some firmware versions, allow limited code execution and potential data access. QR-only mode and uninitialized devices are not affected. Blockstream released a fix on Nov 13 in firmware 1.0.37 and added anti-rollback protection in 1.0.38; versions 1.0.23 and earlier, and 1.0.37+ (including 1.0.38) are not vulnerable. There is no evidence of in-the-wild exploitation. Blockstream urges all Jade owners to upgrade immediately to 1.0.38 or later via official sources and to avoid using web wallets or untrusted hosts during the update. Recommended actions for users who suspect a compromised host include backing up the recovery phrase, performing a factory reset, and updating from a clean machine. Blockstream is increasing engineering resources, improving code review and testing (including libjade for native testing and fuzzing), auditing related software, and considering third-party audits. Traders should note this affects hardware wallet security — prompt upgrades reduce custodial risk and lower the chance of compromised private keys, which could otherwise add selling pressure if exploitation had occurred.