CVE-2026-2739 MEDIUM

CVE-2026-2739

Vendor N/A
Product bn.js
Weakness CWE-835
Published February 20, 2026
Last update February 20, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P

What the vulnerability does

01Description

This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.

Key dates

02Disclosure timeline

February 20, 2026 CVE published
February 20, 2026 Record updated