DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24738: Passport to Purgatory: Infinite Loops in gmrtd

#security #cve #cybersecurity

Passport to Purgatory: Infinite Loops in gmrtd

Vulnerability ID: CVE-2026-24738
CVSS Score: 4.6
Published: 2026-01-27

A Denial of Service (DoS) vulnerability in the gmrtd Go library allows a malicious NFC chip to crash reading applications by advertising a fake, massive file size (4GB+), leading to memory exhaustion.

TL;DR

The gmrtd library, used to read ePassports, blindly trusts the length declared by the NFC chip. By presenting a chip that claims to hold 4GB of data, an attacker can force the reader into an infinite read loop, causing CPU exhaustion and an eventual Out-of-Memory (OOM) crash.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400 (Uncontrolled Resource Consumption)
  • Attack Vector: Physical (NFC)
  • CVSS: 4.6 (Medium)
  • Impact: Denial of Service (DoS)
  • Patch: v0.17.2
  • Exploit Status: PoC Available

Affected Systems

  • Border Control Kiosks using Go-based verification
  • Mobile Identity Verification Apps (Android/iOS backends)
  • Electronic ID (eID) readers
  • Any Go software using gmrtd to interact with smart cards
  • gmrtd: < 0.17.2 (Fixed in: 0.17.2)

Code Analysis

Commit: 54469a9

Fix DoS vulnerability in ReadFile by limiting TLV length and chunks

func (nfc *NfcSession) ReadFile(fileId uint16) ... {
+ const READ_FILE_MAX_TLV_LENGTH = tlv.TlvLength(65535)
+ if tmpTlvLength > nfc.readFileMaxTlvLength { return error }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: PoC included in the fix commit test cases (MockTransceiverHugeLength)

Mitigation Strategies

  • Input Validation: Never trust length indicators from external hardware devices.
  • Resource Limits: Set hard caps on memory allocation and loop iterations for file I/O.
  • Timeouts: Ensure hardware communication loops have strict timeouts.

Remediation Steps:

  1. Upgrade gmrtd to version v0.17.2 or later.
  2. If upgrading is not possible, implement a wrapper around ReadFile that monitors memory usage or execution time and kills the operation if thresholds are exceeded (though this is a sloppy workaround).
  3. Audit other ISO7816 parsing logic for similar unbounded loops based on TLV headers.

References

Read the full report for CVE-2026-24738 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)