Blockstream Releases Jade Firmware Update Following Security Disclosure

Blockstream has released updated firmware for its Jade hardware wallet after an independent security research group, DARKNAVY, responsibly disclosed a vulnerability affecting certain older firmware versions.

1/ Two weeks ago, we notified users about a vulnerability on select versions of Jade firmware. This issue is now fully resolved in the latest firmware update.⁰⁰Read the technical details of this vulnerability here:https://t.co/FHMdysy3DT https://t.co/t0nAdkOKti
— Blockstream Jade (@BlockstreamJade) December 17, 2025

The issue impacts Jade devices running firmware versions 1.0.24 through 1.0.36. Blockstream stated that there is no evidence the vulnerability has been exploited in the wild, and the company is not aware of any malware targeting the vulnerability.

According to Blockstream, exploitation would require highly specific malware tailored to the exact Jade model, firmware configuration, and connection method.

This means an attack would need to infect your host device (laptop or phone) with malware specifically for your Jade device (there are three versions) and also for the exact firmware type (radio or no-radio).

Multiple components would need to be present at the same time, significantly limiting the practicality of an attack.

If an attacker is able to execute a malicious request, they may alter the running software until the device is rebooted. Additionally, they may be able to read from and write to the device’s internal storage and send RPC messages to the host device.

This means the severity of any future exploit based on this vulnerability could range from disrupting the device by destroying stored data to, in a worst-case scenario, temporarily interfering with device operation while it is unlocked.

However, the firmware cannot be permanently altered, and malicious code would not persist after a reboot.

Blockstream released firmware version 1.0.37 to fix the issue, followed by version 1.0.38, which adds protection against downgrading to affected versions. The company recommends that all users upgrade immediately.

Users concerned about host device security are advised to back up their recovery phrase, factory reset the device, update the firmware, and then restore the wallet. Using a clean, fully updated phone or computer is also recommended.

Blockstream said it is expanding its firmware team, increasing internal audits, and improving testing tools to strengthen Jade’s security.

CEO Adam Back encouraged users to keep devices up to date, stating that upgrading to the latest firmware is the best way to remain protected.