CVE-2026-2739
Infinite Loop Vulnerability in bn.js Before 5.2.3 Causes Process Hang
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: Snyk
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| indutny | bn.js | to 5.2.3 (exc) |
| indutny | bn.js | to 5.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-2739 is a vulnerability in the bn.js library affecting versions before 5.2.3. The issue occurs when the method maskn(0) is called on any BN (Big Number) instance. This call corrupts the internal state by setting the length property to 0, which violates the library's internal invariant that length must be at least 1."}, {'type': 'paragraph', 'content': 'Because of this corrupted state, methods such as toString() and divmod() enter an infinite loop since their termination conditions rely on the length being at least 1. This infinite loop causes the process to hang indefinitely, effectively causing a Denial of Service (DoS).'}, {'type': 'paragraph', 'content': 'The root cause is that maskn(0) leads to an invalid empty number representation internally, which was not properly handled by the library. The fix involves ensuring that when maskn(0) is called, the internal state is reset to a valid zero value with length set to 1.'}] [2, 3, 5]
How can this vulnerability impact me? :
This vulnerability can cause applications using the affected bn.js versions to hang indefinitely when processing certain inputs that trigger maskn(0).
Specifically, it leads to an infinite loop consuming 100% CPU on the affected thread, resulting in a Denial of Service (DoS) condition where the process becomes unresponsive.
Since bn.js is widely used in over 5,670 npm packages, including critical cryptographic libraries, any application that allows an attacker to control the bits parameter passed to maskn() can be forced into a complete process hang.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing if calling the method maskn(0) on any BN instance causes the process to hang indefinitely due to an infinite loop in methods like toString() or divmod().'}, {'type': 'paragraph', 'content': 'A minimal reproduction example in a Node.js environment is:'}, {'type': 'list_item', 'content': "const BN = require('bn.js');"}, {'type': 'list_item', 'content': "new BN('1', 10).maskn(0).toString(); // hangs forever if vulnerable"}, {'type': 'paragraph', 'content': 'If this command causes the process to hang or enter an infinite loop, the system is vulnerable.'}] [2, 3, 5]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the bn.js package to version 5.2.3 or later, where the vulnerability has been fixed.
The fix involves correcting the imaskn method to properly handle the case when maskn(0) is called, ensuring the internal state remains valid and preventing infinite loops.
If upgrading is not immediately possible, avoid calling maskn(0) on BN instances or sanitize inputs to prevent zero-bit masking operations.