CVE-2026-24738

EPSS 0.01%
Veröffentlicht 27.01.2026 21:16:03
Zuletzt bearbeitet 04.03.2026 16:20:10
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

gmrtd is a Go library for reading Machine Readable Travel Documents (MRTDs). Prior to version 0.17.2, ReadFile accepts TLVs with lengths that can range up to 4GB, which can cause unconstrained resource consumption in both memory and cpu cycles. ReadFile can consume an extended TLV with lengths well outside what would be available in ICs. It can accept something all the way up to 4GB which would take too many iterations in 256 byte chunks, and would also try to allocate memory that might not be available in constrained environments like phones. Or if an API sends data  to ReadFile, the same problem applies. The very small chunked read also locks the goroutine in  accepting data for a very large number of iterations.  projects using the gmrtd library to read files from NFCs can experience extreme slowdowns or memory consumption. A malicious NFC can just behave like the mock transceiver described above and by just sending dummy bytes as each chunk to be read, can make the receiving thread unresponsive and fill up memory on the host system. Version 0.17.2 patches the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gmrtd ≫ Gmrtd SwPlatformgo Version < 0.17.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.01

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	5.9	0	0	CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/gmrtd/gmrtd/commit/54469a95e5a20a8602ac1457b2110bfeb80c8891

Patch

https://github.com/gmrtd/gmrtd/releases/tag/v0.17.2

Product

Release Notes

https://github.com/gmrtd/gmrtd/security/advisories/GHSA-j49h-6577-5xwq

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-24738

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-24738

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-24738

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-24738