Description
gmrtd is a Go library for reading Machine Readable Travel Documents (MRTDs). Prior to version 0.17.2, ReadFile accepts TLVs with lengths that can range up to 4GB, which can cause unconstrained resource consumption in both memory and cpu cycles. ReadFile can consume an extended TLV with lengths well outside what would be available in ICs. It can accept something all the way up to 4GB which would take too many iterations in 256 byte chunks, and would also try to allocate memory that might not be available in constrained environments like phones. Or if an API sends data to ReadFile, the same problem applies. The very small chunked read also locks the goroutine in accepting data for a very large number of iterations. projects using the gmrtd library to read files from NFCs can experience extreme slowdowns or memory consumption. A malicious NFC can just behave like the mock transceiver described above and by just sending dummy bytes as each chunk to be read, can make the receiving thread unresponsive and fill up memory on the host system. Version 0.17.2 patches the issue.
Published: 2026-01-27
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

ReadFile in the gmrtd Go library currently accepts TLV lengths of up to 4GB, leading to uncontrolled memory allocation and CPU consumption. An attacker can exploit this by sending a malformed TLV, causing the library to allocate or iterate many 256‑byte chunks and stall the goroutine. The result is a denial of service, aligning with CWE‑400 (Uncontrolled Resource Consumption) and CWE‑770 (Out‑of‑Bound array read).

Affected Systems

The vulnerable code resides in the gmrtd Go library used to read Machine Readable Travel Documents. Any application that imports this library and reads data from NFC or other transports is impacted. Versions earlier than 0.17.2 are affected; the patch was shipped in release 0.17.2.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate impact, but the EPSS score of less than 1% shows a very low likelihood of active exploitation. The vulnerability is not in CISA’s KEV catalog. Attackers can trigger the issue by delivering a malicious NFC tag that emits TLVs with excessive lengths, which the library will process, consuming memory and CPU. This is a remote denial‑of‑service vector that can affect any device that reads contactless data through the library.

Generated by OpenCVE AI on April 18, 2026 at 01:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the gmrtd library to version 0.17.2 or later where the TLV length validation is fixed.
  • Add application‑level validation to reject TLV lengths beyond a reasonable threshold before calling ReadFile, ensuring that only expected size ranges are processed.
  • Run the NFC reading routine in a sandboxed process or container with strict memory and CPU limits, and enforce a timeout to prevent prolonged blocking of the main application.

Generated by OpenCVE AI on April 18, 2026 at 01:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j49h-6577-5xwq gmrtd ReadFile Vulnerable to Denial of Service via Excessive TLV Length Values
History

Wed, 04 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gmrtd:gmrtd:*:*:*:*:*:go:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 28 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Gmrtd
Gmrtd gmrtd
Vendors & Products Gmrtd
Gmrtd gmrtd

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Description gmrtd is a Go library for reading Machine Readable Travel Documents (MRTDs). Prior to version 0.17.2, ReadFile accepts TLVs with lengths that can range up to 4GB, which can cause unconstrained resource consumption in both memory and cpu cycles. ReadFile can consume an extended TLV with lengths well outside what would be available in ICs. It can accept something all the way up to 4GB which would take too many iterations in 256 byte chunks, and would also try to allocate memory that might not be available in constrained environments like phones. Or if an API sends data to ReadFile, the same problem applies. The very small chunked read also locks the goroutine in accepting data for a very large number of iterations. projects using the gmrtd library to read files from NFCs can experience extreme slowdowns or memory consumption. A malicious NFC can just behave like the mock transceiver described above and by just sending dummy bytes as each chunk to be read, can make the receiving thread unresponsive and fill up memory on the host system. Version 0.17.2 patches the issue.
Title gmrtd ReadFile Vulnerable to Denial of Service via Excessive TLV Length Values
Weaknesses CWE-400
CWE-770
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Gmrtd Gmrtd
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-28T15:16:31.785Z

Reserved: 2026-01-26T19:06:16.059Z

Link: CVE-2026-24738

cve-icon Vulnrichment

Updated: 2026-01-28T15:16:24.304Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T21:16:03.117

Modified: 2026-03-04T16:20:10.587

Link: CVE-2026-24738

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses