#VU123579 Infinite loop in bn.js - CVE-2026-2739
Published: March 5, 2026
Vulnerability identifier: #VU123579
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-2739
CWE-ID: CWE-835
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
bn.js
bn.js
Software vendor:
indutny
indutny
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop. A remote attacker can сall maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
Remediation
Install updates from vendor's website.
External links
- https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91
- https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b
- https://github.com/indutny/bn.js/issues/186
- https://github.com/indutny/bn.js/issues/316
- https://github.com/indutny/bn.js/pull/317
- https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301