CVE-2026-2739 is a vulnerability in the bn.js library, a popular JavaScript library for arbitrary precision arithmetic. Versions before 5.2.3 are affected. The issue arises when the maskn(0) method is invoked on a BN instance. This call corrupts the internal state of the BN object, which subsequently causes methods such as toString(), divmod(), and potentially others to enter infinite loops. These infinite loops cause the JavaScript process to hang indefinitely, effectively resulting in a denial of service condition. The vulnerability can be triggered remotely without any authentication or user interaction, as it only requires invoking the affected method with a zero parameter. The CVSS 4.0 base score is 6.9, reflecting a medium severity level due to the ease of exploitation and impact on availability, but no impact on confidentiality or integrity. No known exploits have been reported in the wild, but the vulnerability poses a risk to any application or service using vulnerable versions of bn.js, especially those exposed to untrusted inputs that might trigger the maskn(0) call. The issue was publicly disclosed on February 20, 2026, and fixed in version 5.2.3 of bn.js.

The primary impact of CVE-2026-2739 is denial of service through indefinite process hangs caused by infinite loops in bn.js methods. This can disrupt applications relying on bn.js for cryptographic operations, financial calculations, or other arbitrary precision arithmetic tasks. Organizations running web services, blockchain platforms, or any JavaScript-based backend or frontend that uses vulnerable bn.js versions may experience service outages or degraded performance. The vulnerability does not directly compromise confidentiality or integrity but can lead to operational disruptions and potential cascading failures in dependent systems. Since exploitation requires no authentication or user interaction, attackers can remotely trigger the hang condition, making it a viable vector for denial of service attacks. The scope of affected systems is broad given the widespread use of bn.js in the JavaScript ecosystem, impacting cloud providers, SaaS platforms, and enterprise applications globally.

To mitigate CVE-2026-2739, organizations should immediately upgrade all instances of bn.js to version 5.2.3 or later, where the issue is resolved. Code audits should be conducted to identify any direct or transitive dependencies on vulnerable bn.js versions, especially in critical systems handling untrusted inputs. Implement input validation and sanitization to prevent unexpected calls to maskn(0) where possible. Employ runtime monitoring and alerting to detect abnormal CPU usage or process hangs indicative of infinite loops. For environments where immediate upgrade is not feasible, consider isolating or sandboxing components using bn.js to limit the impact of potential hangs. Additionally, incorporate automated dependency scanning tools in CI/CD pipelines to catch vulnerable versions early. Maintain awareness of updates from bn.js maintainers and the broader JavaScript security community for any further advisories.