CVE-2026-2739

Sažetak

This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.

Reference

https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91
https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b
https://github.com/indutny/bn.js/issues/186
https://github.com/indutny/bn.js/issues/316
https://github.com/indutny/bn.js/pull/317
https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301

CVSS

Base:	5.3
Impact:	1.4
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	NONE	LOW

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Zadnje važnije ažuriranje

20-02-2026 - 13:49

Objavljeno

20-02-2026 - 05:17