Blockstream Jade 1.0.38 Security Update
Blockstream Jade

Jade Security Disclosure

Blockstream Team

Following up on our Jade security announcement, and in accordance with industry disclosure standards following exhaustive investigation, below we give more context on the reported security issue, our response to being notified by DARKNAVY, and information for our users on how to upgrade and stay safe.

The security of our users' data is of the utmost importance to us. We strive to be completely transparent and open in our dealings, and in this spirit we include a lot of information in this disclosure. We urge all users to review the How To Upgrade section below for details on upgrading and staying safe.

Security disclosures can attract attempts by bad actors to confuse users or impersonate legitimate support channels. With this in mind, Please note the following:

  • The only legitimate support for Blockstream products is available through https://help.blockstream.com/.
  • Blockstream will never ask you to share any private data including your recovery phrase, PIN, or user-identifiable information.
  • If you are in doubt about whether a message or link is genuine, please contact us.
  • If you receive a suspicious email, message or contact address, or have concerns about security with any of our products, please email security@blockstream.com or DM our Support team on X.

If you only use the official Blockstream app on a malware-free device, then your Jade is not at immediate risk of exploitation from the identified vulnerability. Additionally, if you only use QR mode, then you are not at risk. Note that in both cases, we still recommend that you upgrade as soon as possible.

Timeline and Background

In early August, we were contacted by DARKNAVY (@DarkNavyOrg), an independent security research and consulting group, seeking clarification on the Jade security reporting policy and announcing that they had found a severe vulnerability that they wished to responsibly disclose to us. After clarifying our policies and communication channels, we received a comprehensive report detailing their findings in early October.

We confirmed the report’s validity with DARKNAVY within 24 hours, implemented a fix for the issue reported, and began an internal audit to ensure that there were no similar issues elsewhere in the Jade source code. In parallel, we adjusted our release schedule to allow for internal testing of the fixed firmware, and set about finalizing the next release. We also searched our support, reported issues, and internal records to verify that the vulnerability was not being actively exploited. This revealed no further issues and no sign that an exploit had been released or was being used. At the same time, we prioritized several initiatives to further improve detection and prevent exploitation of such issues going forward.

We released version 1.0.37 with the fix on Nov 13th, three weeks after receiving the DARKNAVY report. We then began capturing anonymized firmware download counts in order to estimate the uptake of the fixed version. One week later, we released version 1.0.38 to enable anti-rollback protection, ensuring that upgraded devices remain permanently secure. With the 1.0.38 release, we also made a general security announcement, encouraging our users to quickly upgrade.

During our communication, DARKNAVY also reported other issues relating to how the Blockstream wallet app interacts with Jade devices. We verified their findings, audited the app code, and released fixed versions within a week of these reports. We audited and applied similar fixes to our web flashing tool, and updated the web firmware version to contain the fix.

DARKNAVY follow a 90 + 30 responsible disclosure model. From the time a security issue is reported, the affected project has 90 days to develop, test, and release a fix. After a fix is made available, technical details follow an additional 30-day period.

Blockstream supports DARKNAVY’s approach and use of established responsible disclosure practices for timely issue resolution and prioritization of user safety. This policy is designed to allow appropriate remediation before public disclosure and to ensure users receive clear, actionable guidance for maintaining security.

We would like to publicly thank DARKNAVY again for their responsible and ethical reporting of the vulnerability to us, in addition to providing a comprehensive analysis of the potential impact and suggesting a fix.

Technical Details and Scope

In Jade firmware version 1.0.24, the ability to register a descriptor was added to the firmware via the CBOR RPC interface. The vulnerability lies in the processing of the CBOR message passed to the "register_descriptor" RPC. Due to a missing check on the size of the descriptor parameter data passed by the caller, it is possible to overwrite the process stack with attacker-controlled data, leading to a device crash or limited code execution as detailed below.

The vulnerable code can only be reached on an initialized and unlocked device, where the device was unlocked using the same interface that the RPC is called on. This means a USB-connected device is only vulnerable to USB-RPC calls, and a Bluetooth connected device is only vulnerable to Bluetooth RPC calls. A device that has been temporarily unlocked is only vulnerable on the interface that was chosen when it is unlocked; QR mode is not vulnerable as it does not expose an RPC interface at all.

The WebUSB API allows web applications to communicate via USB and is the basis for the Jade Web Flashing Tool. This means that web applications that are granted the ability to talk to a Jade device can invoke the "register_descriptor" RPC. Users should take extra care that they only upgrade their devices using the official flashing instructions at https://jadefw.blockstream.com/upgrade/fwupgrade.html.

Jade devices running firmware version 1.0.24 to 1.0.36 can be crashed by a malformed RPC request, leading to a device reboot. Jade devices contain stack protection code that attempts to prevent overwriting of the stack, and triggering this code will cause the device to reboot.

On firmware versions 1.0.24 to 1.0.35, a sophisticated attacker can potentially construct an RPC request that bypasses Jade's stack protection, leading to limited code execution. Version 1.0.36 is not yet known to be vulnerable, but this cannot be ruled out.

If an attacker is able to execute a malicious request, they may change the running software until device reboot. Additionally, they may potentially read and write the device's internal storage and send RPC messages to the host device. This means that the severity of any future exploit based on this vulnerability ranges from griefing the user by destroying stored data, to potentially extracting the user's secret key and returning it via RPC reply message in the worst case scenario.

Versions 1.0.23 and prior, as well as versions 1.0.37 and onward are immune to any attempt to exploit the "register_descriptor" RPC. Version 1.0.38 additionally disallows downgrading the installed firmware to any affected version. To ensure that your device is secure and cannot be downgraded to become vulnerable, we recommend that you upgrade to firmware version 1.0.38 immediately by following the instructions provided in the How To Upgrade section below.

Note that it is not possible for exploitation of this issue to permanently change the software running on the device or to install non-official software that will execute following device reboot.

We will update this announcement with a link to the full DARKNAVY disclosure once published.

Exploitation Analysis

We wish to emphasize that we are not aware of this vulnerability being exploited by any malware in the wild. However, as with any other security-sensitive software, we expect that bad actors monitor our releases looking for vulnerabilities and attempting to develop exploits against older software versions.

If you believe you have discovered malware that attempts to exploit this vulnerability, please contact our security reporting team at security@blockstream.com immediately. If you believe your device has been exploited, please reach out to our support desk.

An exploit related to this vulnerability must be initiated by malware on the host device communicating with Jade (i.e. your mobile device or computer). This could potentially take the form of fake wallet applications or an external malware package installed with some other untrusted software, or by a security bypass in your operating environment. 

Web pages using the WebUSB API can talk to Jade devices if permission is given by the user. Given that unsophisticated users may be tricked into visiting malicious web pages, Blockstream does not recommend using Jade with any web wallets.

Malware that wishes to exploit an affected Jade faces several hurdles:

  • The firmware software for each Jade device type (Original Jade, Jade 1.1, and Jade Plus) requires device-specific code to fully exploit the vulnerability.
  • Each firmware comes in two configurations: Standard or No-radio (i.e. without Bluetooth support).
  • Each firmware revision for each device and configuration (from 1.0.24 to 1.0.36) will typically require a slightly different payload be developed to successfully perform an exploit.
  • The Jade may be connected by either USB serial or Bluetooth; a generic exploit must handle both cases.
  • Increasing the severity of the exploit (from crashing the device to exfiltrating secret data) requires a high level of skill and chaining together several advanced techniques, such as partially reversing the compiled firmware to find the locations of code which can be repurposed for an attack.
  • The number of exploitable devices (and therefore the potential of any exploit to reward an attacker) is decreasing rapidly as users update their devices to non-vulnerable versions.

As with any widely used security-sensitive device, we assume motivated attackers will attempt to target older software versions over time. We will continue to monitor the situation and urge users to upgrade; at this time we are encouraged by the high number of users downloading unaffected firmware versions. We will continue to notify users through official channels, including social media and our mailing list, to reinforce the importance of staying up-to-date.

Actions We Are Taking

We have hired a new Jade firmware developer and will be onboarding another developer in Q1 of 2026. This effort has allowed us to improve our internal code review process. We have also increased staffing in supporting teams to allow the development team to focus exclusively on development and security.

New Jade production runs will be flashed with the latest version of firmware.  For existing inventory, we are taking action to ensure that all device packaging incorporates reminders to upgrade firmware during the setup process, and standardizing communication throughout all available channels: product pages, social media, and in-app notifications. 

We have audited the Jade source code for other cases where an RPC may be affected. This process is ongoing and its scope has been expanded to include identifying opportunities for further hardening the firmware. For example, we are currently testing increased stack protections in the development device firmware builds.After opening the Blockstream app, it will prompt you to update your Jade to 1.0.38 upon connecting it. Upgrading will soon become mandatory to access wallet management functionality.

We are actively investigating options for an independent, third-party public security audit of the Jade source code. Users can expect an announcement on this once finalized.

In order to improve our analysis and testing capabilities during development cycles, we have brought forward an on-going internal project known as "libjade", which is now merged into our public source code repository. libjade is a work-in-progress which allows building and running the Jade firmware as a native software library. With libjade, we have been able to greatly increase our test coverage and run the latest memory safety, static analysis, and benchmarking tools against the firmware directly. We intend to use libjade to greatly increase our fuzz testing since it allows tests to run hundreds of times faster than real hardware or emulation.

We are also undertaking a further internal audit of all software that interacts with Jades, such as the Blockstream app and the firmware flashing tool.

We are continuing to look into new ways to keep our users safe, and welcome your suggestions and contributions for increasing the quality and security of our software. If you have feedback or would like to contribute to Jade development, feel free to join us on our public repository at https://github.com/Blockstream/Jade.

How To Upgrade

The best defense against any attack is to always keep your software up-to-date. This includes your companion app (e.g. the Blockstream app), your web browser, and your operating system, in addition to the Jade firmware.

It is important that you upgrade your companion app to the latest available version. Apps which support Jade OTA updates will offer you the latest version of the firmware to update with.

You can safely upgrade Jade using your companion app, or any method you prefer according to our instructions, if you fall into any of the following categories:

  • Your Jade is uninitialized or has been factory reset.
  • You have only used your Jade in QR mode.
  • Your Jade is running firmware version 1.0.36 or later.
  • You are certain that the device you are upgrading from is free of malware.

For Jade Plus devices, performing a USB upgrade via JadeLink or compatible USB drive is safe. Follow these instructions.

Otherwise, if you are concerned that your host device (mobile device or computer) may be compromised, you should:

  • Ensure that your Jade’s recovery phrase is backed up correctly.
  • Factory reset your Jade to erase all data from the device.

Following the above two steps, it is now safe to connect your Jade to any host device.

Upgrade Jade using your companion app or any method you prefer according to our instructions. Your Jade is safe once the update completes and the device reboots. Ensure that the version displayed is 1.0.38 or later.

If you believe that your host device is compromised, you should reinstall or replace it before using Jade or any Bitcoin software with the device.

As an alternative to resetting your Jade, you can use a guaranteed clean device (e.g. a freshly installed laptop from signed installation media) to perform the upgrade using the links above.

If you encounter any problems, please reach out to our support desk for guidance.

Summary

  • Affected versions: Jade firmware 1.0.24 through 1.0.36
  • Unaffected versions:  0.1.21 to 1.0.23, 1.0.37 and later
  • Risk status: No evidence of exploitation in the wild
  • User action required: Upgrade to firmware version 1.0.38 or later
  • Funds at risk: No confirmed loss of user funds related to this issue

Security is paramount to all that we do at Blockstream. Beyond the measures described in this disclosure, we are always looking for ways to improve our users’ protection.

If you have questions or concerns regarding our security practices, feel free to contact us.

To report security issues, please email security@blockstream.com.

For press inquiries, reach out to press@blockstream.com.

If you have specific preferences, please, mark the topic(s) you would like to read: