PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55254 ncalc CVE debrief

CVE-2026-55254 is a vulnerability in NCalc, a .NET expression evaluator. The issue permits specially crafted expressions with extremely large factorial operands, causing excessive CPU consumption or a non-terminating loop due to integer overflow in the factorial calculation logic. This occurs when applications evaluate untrusted expressions. The vulnerability is fixed in version 6.1.1. Developers and administrators using NCalc in their applications should be aware of this vulnerability and ensure that their applications do not evaluate untrusted expressions.

Vendor
ncalc
Product
Unknown
CVSS
MEDIUM 4.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Developers and administrators using NCalc in their applications should be aware of this vulnerability. They should ensure that their applications do not evaluate untrusted expressions and consider upgrading to version 6.1.1 or later. Affected operators, platforms, and security teams should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

The factorial operator implementation in NCalc's MathHelper.cs file allows for specially crafted expressions with extremely large factorial operands. This causes excessive CPU consumption or a non-terminating loop due to integer overflow in the factorial calculation logic when applications evaluate untrusted expressions. The vulnerability is fixed in version 6.1.1. Affected applications should ensure that they do not evaluate untrusted expressions and consider upgrading to version 6.1.1 or later.

Defensive priority

Medium

Recommended defensive actions

  • Upgrade to NCalc version 6.1.1 or later
  • Validate and sanitize all input expressions
  • Implement additional monitoring and logging to detect potential attacks
  • Consider using compensating controls such as rate limiting or IP blocking
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-17T20:17:27.023Z and has not been modified since then. The NVD entry is currently 4.8 (Medium). The vulnerability affects NCalc, a .NET expression evaluator, and is caused by the factorial operator implementation in src/NCalc.Core/Helpers/MathHelper.cs. The issue permits specially crafted expressions with extremely large factorial operands, causing excessive CPU consumption or a non-terminating loop due to integer overflow in the factorial calculation logic when applications evaluate untrusted expressions. To verify, defenders should review the official advisory and CVE record, and check for affected product deployments in managed environments.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T20:17:27.023Z and has not been modified since then.