Skip to main content

NCalc CVE-2026-55254

MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-06-18 https://github.com/ncalc/ncalc GHSA-3w5p-95mh-gq75
4.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.8 MEDIUM
AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network vector and no-privilege access apply when NCalc evaluates untrusted input via an API; only availability is impacted - no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 14:07 vuln.today
Analysis Generated
Jun 18, 2026 - 14:07 vuln.today

DescriptionGitHub Advisory

Impact

A denial-of-service (DoS) vulnerability exists in the factorial operator implementation of NCalc. Specially crafted expressions containing extremely large factorial operands can trigger excessive CPU consumption or cause evaluation to enter a non-terminating loop due to integer overflow in the factorial calculation logic.

Applications that evaluate untrusted expressions using affected versions of NCalc may be vulnerable to resource exhaustion, potentially resulting in service disruption or application unresponsiveness.

This issue can be triggered with expressions such as:

text
99999999999999!
9223372036854775807!
1.5e16!

Patches

The vulnerability has been fixed by adding bounds validation for factorial operands and rejecting unsupported values before evaluation.

Users should upgrade to the first release containing the fix from pull request #575. (v6.1.1+)

Workarounds

If upgrading is not immediately possible:

  • Do not evaluate expressions originating from untrusted users.
  • Validate or sanitize expressions before evaluation and reject factorial operations on large values.
  • Implement execution time limits, request timeouts, or cancellation mechanisms around expression evaluation.

These mitigations may reduce exposure but do not fully address the underlying vulnerability.

AnalysisAI

Denial-of-service via unbounded factorial evaluation affects NCalc (NCalc.Core and NCalcSync NuGet packages) prior to v6.1.1, allowing remote attackers to exhaust CPU resources or trigger non-terminating computation loops by submitting expressions with extremely large factorial operands such as 9223372036854775807! (Int64.MaxValue). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify application accepting NCalc expressions
Delivery
Craft expression with oversized factorial operand (e.g., 9223372036854775807!)
Exploit
Submit via exposed API or input field
Execution
NCalc evaluator dispatches to unbounded CalculateFactorial loop
Persist
Integer overflow causes non-termination
Impact
CPU exhaustion degrades or halts service

Vulnerability AssessmentAI

Exploitation The application must pass attacker-controlled or untrusted string input directly to NCalc's expression evaluator (e.g., Expression.Evaluate()) without pre-validating or sanitizing factorial operands. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.8 (AV:A/AC:H/PR:N/UI:R) reflects a conservative scope: adjacent-network attack vector and user-interaction required imply constrained exploitation conditions, keeping the score in the medium range despite A:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits the expression '9223372036854775807!' through any application endpoint that passes user-controlled strings to NCalc for evaluation - for example, a reporting engine, spreadsheet formula API, or configuration DSL. NCalc's MathHelper.Factorial() dispatches the Int64.MaxValue operand to the unbounded calculation loop, which overflows and enters a non-terminating state, consuming 100% of a CPU core. …
Remediation Upgrade NCalc.Core and NCalcSync to v6.1.1 or later, which contains the bounds-validation fix from PR #575 (https://github.com/ncalc/ncalc/pull/575). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55254 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy