← back
CVE-2026-2739

CVE-2026-2739

CVSS 6.9 MEDIUMEPSS 0.5%CWE-835
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.9EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
20 Feb 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
Affected products
n/a · bn.js

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64bhttps://github.com/indutny/bn.js/issues/186https://github.com/indutny/bn.js/issues/316https://github.com/indutny/bn.js/pull/317https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301