CVE-2026-24738 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
A Denial of Service vulnerability was identified in ReadFile() where unbounded TLV length values could lead to excessive CPU and memory usage when processing data from a malicious or non-compliant NFC source. This issue has been fixed by enforcing strict limits on acceptable TLV lengths.
ReadFile() processes BER-TLV encoded data returned from an NFC or APDU source via a Transceiver interface. Prior to the fix, the implementation did not enforce an upper bound on long-form TLV length values.
A malicious or non-compliant NFC endpoint could advertise an excessively large length (up to 4 GB), causing the library to:
While such lengths are unrealistic for compliant MRTD or ISO 7816 devices, they can be produced by emulated or malicious sources, or by untrusted inputs routed through higher-level APIs.
Applications using gmrtd to read data from NFC or APDU sources may experience:
No confidentiality or data integrity impact has been identified.
This issue has been resolved in v0.17.2.
The fix introduces:
Users should upgrade to v0.17.2 or later.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
No additional mitigation is required once the library is updated.
Discovered and reported by @ramrunner.