Medium severity5.3NVD Advisory· Published Feb 20, 2026· Updated Apr 15, 2026
CVE-2026-2739
CVE-2026-2739
Description
This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bn.jsnpm | < 4.12.3 | 4.12.3 |
bn.jsnpm | >= 5.0.0, < 5.2.3 | 5.2.3 |
Affected products
1Patches
133df26b5771efix imaskn state (#317)
2 files changed · +7 −0
lib/bn.js+5 −0 modified@@ -2216,6 +2216,11 @@ this.words[this.length - 1] &= mask; } + if (this.length === 0) { + this.words[0] = 0; + this.length = 1; + } + return this._strip(); };
test/binary-test.js+2 −0 modified@@ -56,6 +56,8 @@ describe('BN.js/Binary', function () { describe('.imaskn()', function () { it('should mask bits in-place', function () { + assert.equal(new BN(42).imaskn(0).toString(), '0'); + assert.equal(new BN(42).imaskn(0).toString(16), '0'); assert.equal(new BN(0).imaskn(1).toString(16), '0'); assert.equal(new BN(3).imaskn(1).toString(16), '1'); assert.equal(new BN('123456789', 16).imaskn(4).toString(16), '9');
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-378v-28hj-76wfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-2739ghsaADVISORY
- gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91nvdWEB
- github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64bnvdWEB
- github.com/indutny/bn.js/issues/186nvdWEB
- github.com/indutny/bn.js/issues/316nvdWEB
- github.com/indutny/bn.js/issues/316ghsaWEB
- github.com/indutny/bn.js/pull/317nvdWEB
- github.com/indutny/bn.js/releases/tag/v5.2.3ghsaWEB
- security.snyk.io/vuln/SNYK-JS-BNJS-15274301nvdWEB
News mentions
0No linked articles in our index yet.