{"id":"CVE-2026-2739","details":"This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.","aliases":["GHSA-378v-28hj-76wf"],"modified":"2026-04-10T05:38:23.657123Z","published":"2026-02-20T05:17:53.033Z","related":["CGA-j9mh-7wr6-2qqr"],"references":[{"type":"WEB","url":"https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301"},{"type":"REPORT","url":"https://github.com/indutny/bn.js/issues/186"},{"type":"REPORT","url":"https://github.com/indutny/bn.js/issues/316"},{"type":"FIX","url":"https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b"},{"type":"FIX","url":"https://github.com/indutny/bn.js/pull/317"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/indutny/bn.js","events":[{"introduced":"0"},{"fixed":"ea6c072a951493ca99e5cd5f8da3851b90116271"},{"fixed":"33df26b5771e824f303a79ec6407409376baa64b"}],"database_specific":{"versions":[{"introduced":"bn.js"},{"fixed":"5.2.3"}]}}],"versions":["v0.1.0","v0.1.1","v0.1.2","v0.1.3","v0.1.4","v0.1.5","v0.1.6","v0.1.7","v0.10.0","v0.10.1","v0.11.0","v0.11.1","v0.11.2","v0.11.3","v0.11.4","v0.11.5","v0.11.6","v0.11.7","v0.12.0","v0.13.0","v0.13.1","v0.13.2","v0.13.3","v0.14.0","v0.14.1","v0.14.2","v0.15.0","v0.15.1","v0.15.2","v0.16.0","v0.16.1","v0.2.0","v0.2.1","v0.2.2","v0.3.0","v0.3.1","v0.4.0","v0.4.1","v0.4.2","v0.4.3","v0.4.4","v0.5.0","v0.5.1","v0.5.2","v0.5.3","v0.5.4","v0.6.0","v0.7.0","v0.7.1","v0.8.0","v0.8.1","v0.9.0","v1.0.0","v1.0.1","v1.1.0","v1.1.1","v1.2.0","v1.2.1","v1.2.2","v1.2.3","v1.2.4","v1.3.0","v2.0.0","v2.0.1","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.1.0","v2.2.0","v3.0.0","v3.0.1","v3.1.0","v3.1.1","v3.1.2","v3.2.0","v3.3.0","v4.0.0","v4.1.0","v4.1.1","v4.10.0","v4.10.1","v4.10.2","v4.10.3","v4.10.4","v4.10.5","v4.11.0","v4.11.1","v4.11.2","v4.11.3","v4.11.4","v4.11.5","v4.11.6","v4.11.7","v4.11.8","v4.2.0","v4.3.0","v4.4.0","v4.5.0","v4.5.1","v4.5.2","v4.6.0","v4.6.1","v4.6.2","v4.6.3","v4.6.4","v4.6.5","v4.6.6","v4.7.0","v4.8.0","v4.8.1","v4.9.0","v5.0.0","v5.1.0","v5.1.1","v5.1.2","v5.1.3","v5.2.0","v5.2.1","v5.2.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2739.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}