Infinite loop in bn.js - CVE-2026-2739
Published: March 5, 2026
Vulnerability identifier: #VU123579
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-2739
CWE-ID: CWE-835
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: indutny
Affected software:
bn.js
bn.js
Detailed vulnerability description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop. A remote attacker can сall maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
How to mitigate CVE-2026-2739
Install updates from vendor's website.
Sources
- https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91
- https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b
- https://github.com/indutny/bn.js/issues/186
- https://github.com/indutny/bn.js/issues/316
- https://github.com/indutny/bn.js/pull/317
- https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301