CVE-2026-2739Infinite Loop in Node-bn.js

CWE-835Infinite Loop8 documents7 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 94.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Debian Node-bn.jsMsrc Cbl2 Reaper 3.1.1-22 ON CBL Mariner 2.0
Timeline
PublishedFeb 20

Description

This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages2 packages

debiandebian/node-bn.js< node-bn.js 5.2.3+~5.2.0-1 (forky)

🔴Vulnerability Details

3
GHSA
bn.js affected by an infinite loop2026-02-20
OSV
bn.js affected by an infinite loop2026-02-20
OSV
CVE-2026-2739: This affects versions of the package bn2026-02-20

📋Vendor Advisories

3
Red Hat
bn.js: bn.js: Denial of Service via calling maskn(0)2026-02-20
Microsoft
This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, han2026-02-10
Debian
CVE-2026-2739: node-bn.js - This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-2739 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-2739 — Infinite Loop in Debian Node-bn.js | cvebase