Medium severity5.3NVD Advisory· Published Feb 20, 2026· Updated Apr 15, 2026
CVE-2026-2739
CVE-2026-2739
Description
This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bn.jsnpm | < 4.12.3 | 4.12.3 |
bn.jsnpm | >= 5.0.0, < 5.2.3 | 5.2.3 |
Affected products
31- osv-coords30 versionspkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.18pkg:apk/chainguard/kibana-8.18-bitnamipkg:apk/chainguard/kibana-8.18-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/kibana-9.4pkg:apk/chainguard/kibana-9.4-iamguardedpkg:apk/chainguard/librechatpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-3pkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/chainguard/sqlpadpkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/opensearch-dashboards-3pkg:apk/wolfi/sqlpadpkg:npm/bn.jspkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweed
< 8.17.10-r10+ 29 more
- (no CPE)range: < 8.17.10-r10
- (no CPE)range: < 8.17.10-r10
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.19.11-r1
- (no CPE)range: < 8.19.11-r1
- (no CPE)range: < 8.19.11-r1
- (no CPE)range: < 9.0.8-r12
- (no CPE)range: < 9.0.8-r12
- (no CPE)range: < 9.0.8-r12
- (no CPE)range: < 9.1.10-r6
- (no CPE)range: < 9.1.10-r6
- (no CPE)range: < 9.2.5-r5
- (no CPE)range: < 9.2.5-r5
- (no CPE)range: < 9.3.0-r2
- (no CPE)range: < 9.3.0-r2
- (no CPE)range: < 9.4.2-r1
- (no CPE)range: < 9.4.2-r1
- (no CPE)range: < 0.8.2-r6
- (no CPE)range: < 2.19.4-r13
- (no CPE)range: < 2.19.4-r11
- (no CPE)range: < 3.5.0-r5
- (no CPE)range: < 3.5.0-r3
- (no CPE)range: < 7.5.7-r10
- (no CPE)range: < 2.19.4-r13
- (no CPE)range: < 3.5.0-r5
- (no CPE)range: < 7.5.7-r10
- (no CPE)range: < 4.12.3
- (no CPE)range: < 0.7.0.4.git185.a5708584-2.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-378v-28hj-76wfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-2739ghsaADVISORY
- gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91nvdWEB
- github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64bnvdWEB
- github.com/indutny/bn.js/issues/186nvdWEB
- github.com/indutny/bn.js/issues/316nvdWEB
- github.com/indutny/bn.js/issues/316ghsaWEB
- github.com/indutny/bn.js/pull/317nvdWEB
- github.com/indutny/bn.js/releases/tag/v5.2.3ghsaWEB
- security.snyk.io/vuln/SNYK-JS-BNJS-15274301nvdWEB
News mentions
0No linked articles in our index yet.