Login Sign Up

CVE-2026-24738

6.5 MEDIUM
Denial of Service

📋 TL;DR

The gmrtd Go library for reading Machine Readable Travel Documents (MRTDs) has a vulnerability where ReadFile accepts TLV structures with lengths up to 4GB, causing unconstrained resource consumption. This allows malicious NFC devices or API calls to cause extreme slowdowns, memory exhaustion, and unresponsive threads. Projects using gmrtd to read NFC-based travel documents are affected.

💻 Affected Systems

Products:
  • gmrtd Go library
Versions: All versions prior to 0.17.2
Operating Systems: All platforms running Go applications using gmrtd
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any application using gmrtd's ReadFile function to process MRTD/NFC data.

📦 What is this software?

Gmrtd by Gmrtd

View all CVEs affecting Gmrtd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system resource exhaustion leading to denial of service, application crashes, and potential system instability on constrained devices like phones.

🟠

Likely Case

Application slowdowns, high memory consumption, and unresponsive threads when processing malicious NFC data.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: MEDIUM - Only affects systems exposed to NFC reading or API endpoints using the vulnerable library.
🏢 Internal Only: LOW - Requires physical NFC access or internal API calls with malicious data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending malicious TLV data via NFC or API calls to ReadFile function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.17.2

Vendor Advisory: https://github.com/gmrtd/gmrtd/security/advisories/GHSA-j49h-6577-5xwq

Restart Required: Yes

Instructions:

1. Update gmrtd dependency to version 0.17.2 or later. 2. Run 'go get github.com/gmrtd/gmrtd@v0.17.2'. 3. Rebuild and redeploy affected applications. 4. Restart services using the library.

🔧 Temporary Workarounds

Input validation wrapper

all

Add custom validation to limit TLV length before passing to ReadFile

// Go code to validate TLV length before processing
if tlvLength > 65535 { return error }

🧯 If You Can't Patch

  • Implement rate limiting and monitoring for NFC/API endpoints using gmrtd
  • Deploy resource limits (memory, CPU) on containers/processes using the library

🔍 How to Verify

Check if Vulnerable:

Check go.mod or go.sum for gmrtd version <0.17.2

Check Version:

grep gmrtd go.mod || grep gmrtd go.sum

Verify Fix Applied:

Confirm gmrtd version is 0.17.2 or higher in dependencies

📡 Detection & Monitoring

Log Indicators:

  • High memory consumption alerts
  • Application slowdown logs
  • Goroutine blocking warnings

Network Indicators:

  • Unusually large NFC data transfers
  • Extended API call durations

SIEM Query:

source="application.logs" AND ("memory exhaustion" OR "slow response" OR "goroutine blocked") AND process="*gmrtd*"

📊 Metadata

CVE ID: CVE-2026-24738
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
EPSS Score: 0.02% exploit probability (4.4th percentile)
Published: January 27, 2026
Last Updated: March 4, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24738, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)