CVE-2026-2739
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
| CWE | CWE-835 |
| Vendor | n/a |
| Product | bn.js |
| Published | Feb 20, 2026 |
| Last Updated | Feb 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for n/a bn.js
Be the first to know when new medium vulnerabilities affecting n/a bn.js are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
Affected Versions
n/a / bn.js
0 < 5.2.3
References
security.snyk.io: https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301 github.com: https://github.com/indutny/bn.js/issues/316 github.com: https://github.com/indutny/bn.js/issues/186 gist.github.com: https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91 github.com: https://github.com/indutny/bn.js/pull/317 github.com: https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b
Credits
Kr0emer