CVE-2026-55254 in NCalcinfo

Summary

by MITRE • 07/17/2026

NCalc is a fast, lightweight expression evaluator for .NET. Prior to 6.1.1, the factorial operator implementation in src/NCalc.Core/Helpers/MathHelper.cs permits specially crafted expressions with extremely large factorial operands, causing excessive CPU consumption or a non-terminating loop due to integer overflow in the factorial calculation logic when applications evaluate untrusted expressions. This issue is fixed in version 6.1.1.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability in NCalc affects versions prior to 6.1.1 where the factorial operator implementation contains a critical flaw in the mathematical helper component located at src/NCalc.Core/Helpers/MathHelper.cs. This weakness enables attackers to craft malicious expressions that exploit integer overflow conditions during factorial calculations, leading to significant performance degradation or complete system hangs. The issue particularly impacts applications that process untrusted user input through the NCalc expression evaluator, creating a potential denial of service scenario where carefully constructed factorial operations can consume excessive CPU resources or enter infinite loops.

The technical root cause stems from inadequate bounds checking and overflow handling within the factorial calculation logic. When users provide expressions containing large factorial operands, the implementation fails to properly validate input parameters or implement appropriate safeguards against arithmetic overflows. This vulnerability manifests as a resource exhaustion condition where computational cycles are consumed disproportionately, potentially allowing an attacker to perform sustained denial of service attacks against systems utilizing vulnerable NCalc versions. The flaw demonstrates characteristics consistent with CWE-191 Integer Underflow/Overflow, specifically involving unsigned integer overflow conditions that can cause unexpected behavior in mathematical computations.

From an operational perspective, this vulnerability poses significant risks to applications relying on NCalc for expression evaluation, particularly those processing user-generated content or external data inputs. Systems may experience complete service unavailability when malicious expressions are evaluated, as the factorial operation consumes excessive CPU cycles without proper termination conditions. The impact extends beyond simple performance degradation to potential system instability, especially in environments where multiple concurrent evaluations occur or where resource constraints are already tight. Organizations using NCalc in production environments should immediately assess their exposure and implement appropriate mitigation strategies.

The fix implemented in version 6.1.1 addresses this vulnerability through enhanced input validation and overflow protection mechanisms within the factorial calculation logic. This update ensures that large factorial operands are properly bounded and that computational resources are appropriately managed during expression evaluation. Security practitioners should prioritize upgrading to NCalc 6.1.1 or later versions to eliminate this threat vector, while also implementing additional input sanitization measures for any applications processing untrusted expressions. The remediation aligns with best practices recommended in the ATT&CK framework under defense evasion and resource exhaustion tactics, emphasizing the importance of proper mathematical operation validation in expression evaluation systems. Organizations should conduct thorough testing to verify that the upgrade does not introduce compatibility issues while ensuring that all affected systems receive the necessary security patch to prevent exploitation attempts targeting this specific vulnerability pattern.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!