CVE-2026-55254: NCalc: Denial of Service via Unbounded and Non-Terminating Factorial Evaluation

June 18, 2026

A denial-of-service (DoS) vulnerability exists in the factorial operator implementation of NCalc. Specially crafted expressions containing extremely large factorial operands can trigger excessive CPU consumption or cause evaluation to enter a non-terminating loop due to integer overflow in the factorial calculation logic.

Applications that evaluate untrusted expressions using affected versions of NCalc may be vulnerable to resource exhaustion, potentially resulting in service disruption or application unresponsiveness.

This issue can be triggered with expressions such as:

99999999999999!
9223372036854775807!
1.5e16!

References

Code Behaviors & Features

Detect and mitigate CVE-2026-55254 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →