| Name | CVE-2026-2739 |
| Description | This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1128619 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| node-bn.js (PTS) | bullseye | 5.1.3-1 | vulnerable |
| forky, sid, bookworm, trixie | 5.2.1+~5.1.1-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| node-bn.js | source | (unstable) | (unfixed) | 1128619 |
https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301
https://github.com/indutny/bn.js/issues/316
https://github.com/indutny/bn.js/issues/186
https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91
https://github.com/indutny/bn.js/pull/317
Fixed by: https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b (v5.2.3)