CVE-2026-24738

Name of the Vulnerable Software and Affected Versions gmrtd versions prior to 0.17.2

Description The gmrtd Go library contains a flaw where the ReadFile function accepts TLVs (Tag-Length-Value) with lengths up to 4GB. This can lead to excessive resource consumption, including memory and CPU cycles, potentially causing slowdowns or making the receiving thread unresponsive. A malicious NFC (Near Field Communication) chip can exploit this by sending dummy bytes in chunks, overwhelming the system. This issue affects projects using the gmrtd library to read files from NFCs. The vulnerability arises from the unconstrained resource consumption during the processing of large TLVs, specifically when reading data in 256-byte chunks.

Recommendations Update to gmrtd version 0.17.2 or later.