Vulnerability Description
This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91
- https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b
- https://github.com/indutny/bn.js/issues/186
- https://github.com/indutny/bn.js/issues/316
- https://github.com/indutny/bn.js/pull/317
- https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301
FAQ
What is CVE-2026-2739?
CVE-2026-2739 is a vulnerability with a CVSS score of 5.3 (MEDIUM). This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, han...
How severe is CVE-2026-2739?
CVE-2026-2739 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-2739?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.