CVE-2026-2739
Received Received - Intake
Infinite Loop Vulnerability in bn.js Before 5.2.3 Causes Process Hang

Publication date: 2026-02-20

Last updated on: 2026-02-20

Assigner: Snyk

Description
This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2739
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
indutny bn.js to 5.2.3 (exc)
indutny bn.js to 5.2.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-2739 is a vulnerability in the bn.js library affecting versions before 5.2.3. The issue occurs when the method maskn(0) is called on any BN (Big Number) instance. This call corrupts the internal state by setting the length property to 0, which violates the library's internal invariant that length must be at least 1."}, {'type': 'paragraph', 'content': 'Because of this corrupted state, methods such as toString() and divmod() enter an infinite loop since their termination conditions rely on the length being at least 1. This infinite loop causes the process to hang indefinitely, effectively causing a Denial of Service (DoS).'}, {'type': 'paragraph', 'content': 'The root cause is that maskn(0) leads to an invalid empty number representation internally, which was not properly handled by the library. The fix involves ensuring that when maskn(0) is called, the internal state is reset to a valid zero value with length set to 1.'}] [2, 3, 5]

Impact Analysis

This vulnerability can cause applications using the affected bn.js versions to hang indefinitely when processing certain inputs that trigger maskn(0).

Specifically, it leads to an infinite loop consuming 100% CPU on the affected thread, resulting in a Denial of Service (DoS) condition where the process becomes unresponsive.

Since bn.js is widely used in over 5,670 npm packages, including critical cryptographic libraries, any application that allows an attacker to control the bits parameter passed to maskn() can be forced into a complete process hang.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing if calling the method maskn(0) on any BN instance causes the process to hang indefinitely due to an infinite loop in methods like toString() or divmod().'}, {'type': 'paragraph', 'content': 'A minimal reproduction example in a Node.js environment is:'}, {'type': 'list_item', 'content': "const BN = require('bn.js');"}, {'type': 'list_item', 'content': "new BN('1', 10).maskn(0).toString(); // hangs forever if vulnerable"}, {'type': 'paragraph', 'content': 'If this command causes the process to hang or enter an infinite loop, the system is vulnerable.'}] [2, 3, 5]

Mitigation Strategies

The immediate mitigation step is to upgrade the bn.js package to version 5.2.3 or later, where the vulnerability has been fixed.

The fix involves correcting the imaskn method to properly handle the case when maskn(0) is called, ensuring the internal state remains valid and preventing infinite loops.

If upgrading is not immediately possible, avoid calling maskn(0) on BN instances or sanitize inputs to prevent zero-bit masking operations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2739. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart