CVE-2026-2739
bn.js affected by an infinite loop
5.3
MEDIUM
CVSS 3.1
EPSS 0.02%
Description
This affects versions of the package bn.js before 4.12.3 and 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
How to fix CVE-2026-2739
To remediate CVE-2026-2739, upgrade the affected package to a fixed version below.
- Debian/node-bn.js—no fix listed
- —upgrade to 4.12.3 or later
Is CVE-2026-2739 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0
- from 0, < 4.12.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P |
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |