CVE-2026-55254
Received Received - Intake

Integer Overflow in NCalc Factorial Operator

Vulnerability report for CVE-2026-55254, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

NCalc is a fast, lightweight expression evaluator for .NET. Prior to 6.1.1, the factorial operator implementation in src/NCalc.Core/Helpers/MathHelper.cs permits specially crafted expressions with extremely large factorial operands, causing excessive CPU consumption or a non-terminating loop due to integer overflow in the factorial calculation logic when applications evaluate untrusted expressions. This issue is fixed in version 6.1.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ncalc ncalc 6.1.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55254 is a denial-of-service vulnerability in NCalc, a .NET expression evaluation library. It involves the factorial operator implementation where specially crafted expressions with extremely large factorial operands cause excessive CPU consumption or non-terminating loops due to integer overflow. This happens because the factorial calculation logic lacks proper bounds validation.

Detection Guidance

Detecting this vulnerability requires checking if your system uses NCalc versions prior to 6.1.1. Inspect installed NuGet packages for NCalc.Core or NCalcSync. Use commands like 'dotnet list package' or check project files for version references. Monitor for unusual CPU usage spikes during expression evaluations.

Impact Analysis

This vulnerability can lead to denial-of-service conditions by consuming excessive CPU resources or causing applications to hang when evaluating untrusted expressions. It may disrupt services relying on NCalc for expression evaluation, especially if untrusted input is processed.

Compliance Impact

This vulnerability primarily impacts availability by causing excessive CPU consumption or non-terminating loops, which could lead to system downtime. While it does not directly affect confidentiality or integrity, prolonged unavailability may violate compliance requirements in standards like GDPR (data processing continuity) or HIPAA (system availability for healthcare operations). Mitigation through input validation and timeouts is recommended.

Mitigation Strategies

Upgrade NCalc to version 6.1.1 or later immediately. If upgrading is not possible, avoid evaluating untrusted expressions, implement input validation, or set execution time limits. These are temporary measures as the root cause requires a patch.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55254. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart