CVE-2026-2739 is a vulnerability affecting the bn.js JavaScript library. It arises from a flaw in the maskn(0) function, where calling it on a BN instance corrupts the internal state. This corruption can trigger an infinite loop when using methods like toString(), divmod(), and others, effectively freezing the process. The vulnerability impacts versions of bn.js prior to 4.12.3 and 5.2.3, and a patch is available in versions 4.12.3 and 5.2.3.
影响与攻击场景翻译中…
CVE-2026-2739 in bn.js affects versions prior to 4.12.3 and 5.2.3. This is an internal state corruption vulnerability triggered by calling maskn(0) on any BN instance. This action causes methods like toString(), divmod(), and others to enter an infinite loop, resulting in indefinite process hang. The severity of this issue lies in its potential to cause a denial-of-service (DoS) condition in applications utilizing the bn.js library for arbitrary-precision arithmetic. The impact is particularly significant in production environments where availability and stability are critical. The vulnerability does not require authentication, making it remotely exploitable if the library is used in a vulnerable context, such as a web server or API.
利用背景翻译中…
Exploitation of this vulnerability requires access to an environment where a vulnerable version of bn.js is being used. An attacker could inject malicious code that calls maskn(0) in a context where the bn.js library is being utilized, for example, through a malicious HTTP request to an API that uses the library. Since the vulnerability does not require authentication, an attacker could exploit it remotely. The impact of exploitation is a denial-of-service, as the process will hang indefinitely. Detection of exploitation can be difficult, as the process hang may resemble a random failure. It is important to monitor the performance of applications that use bn.js and look for unusual hanging patterns.
威胁情报
漏洞利用状态
EPSS
0.02% (5% 百分位)
CISA SSVC
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 低 — 无需特殊条件,可以稳定地利用漏洞。
- Privileges Required
- 无 — 无需认证,无需凭证即可利用。
- User Interaction
- 无 — 攻击自动且无声,受害者无需任何操作。
- Scope
- 未改变 — 影响仅限于脆弱组件本身。
- Confidentiality
- 无 — 无机密性影响。
- Integrity
- 无 — 无完整性影响。
- Availability
- 低 — 部分或间歇性拒绝服务。
受影响的软件
软件包信息
- 最后更新
- 5.2.33个月前
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The solution to mitigate CVE-2026-2739 is to update the bn.js library to version 4.12.3 or higher, or to version 5.2.3 or higher. These versions contain a fix that prevents the internal state corruption when calling maskn(0). It is recommended to perform this update as soon as possible to protect your applications from potential attacks. If an update is not immediately possible, consider implementing input validation to prevent maskn(0) from being called with the argument 0. However, this measure is less secure than updating to a patched version. Regularly reviewing project dependencies and applying security updates is crucial for maintaining a secure development environment.
修复方法翻译中…
Actualice la dependencia bn.js a la versión 5.2.3 o superior. Esto solucionará la corrupción del estado interno al llamar a maskn(0) y evitará el bucle infinito en métodos como toString() y divmod(). Ejecute `npm install bn.js@latest` o `yarn upgrade bn.js` para actualizar.
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2026-2739 in bn.js?
bn.js is a JavaScript library for performing arbitrary-precision integer arithmetic.
Am I affected by CVE-2026-2739 in bn.js?
Review your project's dependencies and check the version of bn.js you are using. If it’s prior to 4.12.3 or 5.2.3, it is vulnerable.
How do I fix CVE-2026-2739 in bn.js?
As a temporary measure, you can try validating input to prevent maskn(0) from being called with the argument 0, but this is not a complete solution.
Is CVE-2026-2739 being actively exploited?
Currently, there are no specific tools to detect this vulnerability, but application performance monitoring can help identify unusual hangs.
Where can I find the official bn.js advisory for CVE-2026-2739?
You can find more information about the vulnerability in the CVE-2026-2739 entry in vulnerability databases like the National Vulnerability Database (NVD).