CVE-2026-2739

bn.js: bn.js: Denial of Service via calling maskn(0)

Description

This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.

INFO

Published Date :

2026-02-20T05:00:08.253Z

Last Modified :

2026-02-20T15:03:53.743Z

Source :

snyk

AFFECTED PRODUCTS

The following products are affected by CVE-2026-2739 vulnerability.

Vendors	Products
Indutny	Bn.js

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-2739.

URL	Resource
https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91
https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b
https://github.com/indutny/bn.js/issues/186
https://github.com/indutny/bn.js/issues/316
https://github.com/indutny/bn.js/pull/317
https://nvd.nist.gov/vuln/detail/CVE-2026-2739
https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301
https://www.cve.org/CVERecord?id=CVE-2026-2739