TL;DR:
Vulnerability: A buffer overflow bug in Jade hardware wallet firmware (versions 1.0.24-1.0.36) that could allow malware on a connected computer/phone to crash the device or potentially extract the user's private keys.
Practical implications:
- Only exploitable if: Device connected via USB/Bluetooth to malware-infected computer AND device was unlocked on that interface
- Not vulnerable: QR-only mode, uninitialized devices, or if using official Blockstream app on clean devices
- No known exploits in the wild
- Fix: Update to firmware 1.0.38+ immediately (includes anti-rollback protection)
- Worst case: Attacker could theoretically steal private keys if sophisticated malware was present