CVE-2026-2739

MEDIUM

bn.js <5.2.3 - DoS

Title source: llm

Description

This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.

References (6)

[Various Sources] https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301

[Patch] https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b

View Patch ZIP pw:eip

[Issue Tracking] https://github.com/indutny/bn.js/issues/186

[Issue Tracking] https://github.com/indutny/bn.js/issues/316

[Issue Tracking] https://github.com/indutny/bn.js/pull/317

Scores

CVSS v3 5.3

EPSS 0.0002

EPSS Percentile 6.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-835

Status published

Products (2)

n/a/bn.js < 5.2.3

npm/bn.js 0 - 5.2.3npm

Published Feb 20, 2026

Tracked Since Feb 20, 2026