CVE-2026-24738 Overview
CVE-2026-24738 is a Resource Exhaustion vulnerability affecting the gmrtd Go library, which is used for reading Machine Readable Travel Documents (MRTDs) via NFC. Prior to version 0.17.2, the ReadFile function accepts TLV (Tag-Length-Value) structures with lengths ranging up to 4GB, enabling unconstrained resource consumption in both memory and CPU cycles. This vulnerability can be exploited by malicious NFC devices to cause denial of service conditions on systems utilizing the library.
Critical Impact
Applications using the gmrtd library to read NFC-based travel documents can experience extreme slowdowns, memory exhaustion, or complete system unresponsiveness when interacting with malicious NFC devices.
Affected Products
- gmrtd Go library versions prior to 0.17.2
- Applications using gmrtd for MRTD/NFC processing
- Mobile applications and constrained environments utilizing the vulnerable library
Discovery Timeline
- 2026-01-27 - CVE CVE-2026-24738 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-24738
Vulnerability Analysis
The vulnerability exists in the ReadFile function within the gmrtd library's ISO 7816/NFC session handling. The function processes extended TLV structures without proper bounds checking, allowing length values that far exceed what would realistically be available in integrated circuits (ICs) found in travel documents. When the library encounters a maliciously crafted TLV with an excessively large length field, it attempts to read data in 256-byte chunks, which for a 4GB length would require approximately 16.7 million iterations.
This design flaw creates two primary attack vectors: first, the excessive iteration count locks the goroutine in a prolonged data-acceptance loop, making the receiving thread unresponsive; second, the library attempts to allocate memory commensurate with the declared length, which can exhaust available memory on constrained environments such as mobile devices.
Root Cause
The root cause is CWE-400: Uncontrolled Resource Consumption. The ReadFile function lacks proper validation of TLV length fields before initiating read operations. There were no maximum bounds enforced on the TLV length or the number of read chunks permitted, allowing unbounded resource allocation.
Attack Vector
This vulnerability requires Adjacent Network access, meaning an attacker must be in physical proximity to exploit it via NFC communication. A malicious NFC device can masquerade as a legitimate travel document and send crafted TLV responses with exaggerated length fields. The attacking device simply transmits dummy bytes in each chunk read, forcing the victim system to continue processing until resources are exhausted.
const INS_SELECT = byte(0xA4)
const INS_READ_BINARY = byte(0xB0)
+// default to 65,535 maximum file (TLV) size
+// - as we always read the first 4 bytes (so max 2 byte length)
+const READ_FILE_MAX_TLV_LENGTH = tlv.TlvLength(65535)
+
+// default to 1,000 chunks when reading a file
+// - some older passports support <100 byte reads
+const READ_FILE_MAX_CHUNKS = 1000
+
// TODO - extended length support? odd INS read-binary can support larger offset.. and potentially avoid SELECT FILE
//
// 3.5.2 READ BINARY
Source: GitHub Commit 54469a9
The patch introduces two critical constants: READ_FILE_MAX_TLV_LENGTH limiting TLV sizes to 65,535 bytes (2-byte length maximum), and READ_FILE_MAX_CHUNKS capping read operations at 1,000 chunks. These bounds prevent the unbounded resource consumption that enabled the denial of service attack.
Detection Methods for CVE-2026-24738
Indicators of Compromise
- Abnormal memory consumption spikes in applications using gmrtd for NFC operations
- Application threads becoming unresponsive during NFC read operations
- System slowdowns or crashes when processing travel documents via NFC
- Extended goroutine execution times in NFC session handling
Detection Strategies
- Monitor memory allocation patterns in applications utilizing the gmrtd library
- Implement application-level timeouts for NFC read operations
- Track goroutine execution duration and flag abnormally long-running read operations
- Use dependency scanning tools to identify gmrtd versions prior to 0.17.2
Monitoring Recommendations
- Deploy software composition analysis (SCA) tools to detect vulnerable gmrtd library versions
- Implement resource consumption alerts for mobile applications using NFC document reading
- Monitor application logs for NFC session timeouts or memory allocation failures
- Configure endpoint protection to detect unusual CPU or memory consumption patterns
How to Mitigate CVE-2026-24738
Immediate Actions Required
- Upgrade the gmrtd library to version 0.17.2 or later immediately
- Review all applications that depend on gmrtd for MRTD/NFC processing
- Implement application-level timeouts for NFC read operations as a defense-in-depth measure
- Consider temporarily disabling NFC document reading functionality until patches are applied
Patch Information
The vulnerability has been addressed in gmrtd version 0.17.2. The patch introduces maximum bounds for TLV length (READ_FILE_MAX_TLV_LENGTH = 65535) and chunk read iterations (READ_FILE_MAX_CHUNKS = 1000), preventing the unbounded resource consumption. The fix is available via the GitHub Release v0.17.2. Additional details can be found in the GitHub Security Advisory GHSA-j49h-6577-5xwq.
Workarounds
- Implement application-level timeouts that abort NFC read operations exceeding reasonable durations
- Add memory allocation limits in the application layer before calling gmrtd functions
- Wrap gmrtd calls with context cancellation to prevent goroutine blocking
- Consider sandboxing NFC processing in isolated processes with resource constraints
# Update gmrtd library to patched version
go get github.com/gmrtd/gmrtd@v0.17.2
# Verify the installed version
go list -m github.com/gmrtd/gmrtd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
