CVE-2026-2739 identifies a vulnerability in the bn.js library, a widely used JavaScript library for arbitrary precision arithmetic. The flaw exists in versions before 5.2.3 and is triggered by invoking the maskn(0) method on any BN instance. This call corrupts the internal state of the BN object, causing critical methods such as toString() and divmod() to enter an infinite loop. The infinite loop causes the JavaScript runtime process to hang indefinitely, effectively resulting in a denial of service (DoS). The vulnerability does not require any privileges, authentication, or user interaction to exploit, and can be triggered remotely if the vulnerable function is exposed to attacker-controlled input. The CVSS 4.0 score of 6.9 reflects a medium severity, emphasizing the ease of exploitation and impact on availability but limited impact on confidentiality or integrity. No known exploits have been reported in the wild, but the vulnerability poses a risk to any application relying on bn.js for cryptographic or numerical operations, especially in server-side or critical infrastructure contexts. The patch was released in version 5.2.3, and upgrading is the primary remediation step.

The primary impact of this vulnerability is a denial of service caused by infinite loops that hang the affected process. This can disrupt applications that rely on bn.js for big number calculations, including cryptographic operations, blockchain platforms, financial services, and other JavaScript-based systems. The hang can lead to service outages, degraded performance, and potential cascading failures in dependent systems. Since the vulnerability can be triggered remotely without authentication, exposed services using vulnerable versions are at risk of being targeted for DoS attacks. While confidentiality and integrity are not directly impacted, the availability disruption can have significant operational and reputational consequences for organizations. The scope includes any system using vulnerable bn.js versions, which is common in Node.js environments and web applications globally.

The most effective mitigation is to upgrade bn.js to version 5.2.3 or later, where the infinite loop issue is resolved. Organizations should audit their software dependencies to identify and update any usage of vulnerable bn.js versions. For environments where immediate upgrade is not feasible, implementing input validation to prevent calls to maskn(0) or sanitizing inputs that could trigger this method can reduce risk. Additionally, deploying runtime monitoring and timeout mechanisms can help detect and recover from infinite loops to maintain service availability. Incorporating dependency scanning tools in CI/CD pipelines will help prevent vulnerable versions from being deployed. Finally, isolating critical services and limiting exposure of vulnerable components to untrusted inputs can reduce the attack surface.