"One thing we're keen to note: in contrast to the original CVE-2026-3055, in which kilobytes of binary data can be leaked, this overread will terminate the out-of-bounds read when various control characters are read, such as NULL (or even >)," security researcher Aliz Hammond said.
The vulnerabilities at a glance
Citrix released updates addressing six vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Each is tracked by a CVE identifier and carries a high or medium-high CVSS score:
- CVE-2026-8451 (CVSS 8.8) — insufficient input validation leading to memory overread when NetScaler is configured as a SAML IDP.
- CVE-2026-8452 (CVSS 8.8) — memory overflow producing unpredictable behavior and denial-of-service (DoS) when configured as a Gateway or an AAA virtual server.
- CVE-2026-8655 (CVSS 8.8) — multiple memory overflow flaws causing unpredictable behavior and DoS when NetScaler is configured as an Oracle LB, a DNS Proxy, or a DNS recursive resolver.
- CVE-2026-10816 (CVSS 7.7) — external control of the file name/path enabling unauthenticated, arbitrary file read when access to NSIP, Cluster Management IP, or SNIP with management access is enabled.
- CVE-2026-10817 (CVSS 6.9) — insufficient input validation leading to memory overread when TCP TimeStamp is enabled in TCP Profile and attached to virtual servers or services.
- CVE-2026-13474 (CVSS 8.7) — missing release of memory after effective lifetime allowing DoS via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with virtual servers or services.
What Citrix released and who reported it
Citrix published patched builds for multiple product lines. The security fixes are included in:
- NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases;
- NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1;
- NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS;
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP.
Citrix (per the bulletin) credited Michael Tucker from the XOR team at JPMorgan Chase, Aliz Hammond of watchTowr, and Maxim Suhanov for reporting the vulnerabilities. The company stated there is no evidence that the issues have been exploited in the wild.
Technical notes operators must act on now
Two practical items require special attention from administrators.
- For CVE-2026-13474 (HTTP/2 memory release): Citrix advises updating HTTP/2 configuration by setting the Http2SmallWndTimeout parameter, which controls timeouts (in seconds) for HTTP/2 small‑window stalled streams. Appliances using HTTP Strict Profiles default this parameter to 30 seconds and the fix takes effect immediately after the upgrade. Appliances not using HTTP Strict Profiles default the parameter to 0; in those cases, upgrading alone will not fully remediate the issue — administrators must manually set Http2SmallWndTimeout to 30 seconds using: set ns httpProfile <profile_name> -http2SmallWndTimeout <value_in_seconds>
- For CVE-2026-10816 (unauthenticated arbitrary file read): the vulnerability becomes accessible when NSIP, Cluster Management IP, or SNIP with management access is enabled, meaning configuration choices affect exposure. Administrators should prioritize applying the patched builds listed above.
How technologists, enterprises, and adversaries are likely to respond
Technologists and security teams: they will need to prioritize patching the listed builds, validate HTTP Profile settings for HTTP/2, and confirm whether NSIP/Cluster/SNIP management access is exposed. Because several flaws are triggered by specific feature configurations (SAML IDP, TCP TimeStamp, HTTP/2, DNS roles, Oracle LB), review of role-specific deployments will determine exposure.
Affected enterprises and procurement leaders: organizations running NetScaler ADC or NetScaler Gateway on the affected 13.1 or 14.1 branches must schedule upgrades to the fixed builds and, where FIPS or NDcPP variants are in use, apply the corresponding patched releases. The bulletin’s specific build numbers give concrete targets for procurement and change-control teams.
Adversaries and threat actors: while Citrix reported no evidence of in-the-wild exploitation, the bulletin notes that multiple memory-management issues could be attractive to attackers. The source reminds readers that Citrix appliances have been exploited in recent years for ransomware deployment, underscoring why timely patching is critical.
Closing observation
watchTowr Labs, in a technical write-up accompanying Citrix’s bulletin, said CVE-2026-8451 was discovered and reported in late March 2026 after attempts to reproduce a prior insufficient input validation flaw (CVE-2026-3055) disclosed earlier this year. Hammond warned that the root cause — fragile memory management in NetScaler appliances — has a pattern: malformed SAML requests can produce out-of-bounds reads, and while the current overread may leak only a few bytes per request, the trend is what she called concerning. Given the specific configurations that open these failures and the availability of patched builds, the next step is straightforward: operators must apply the listed updates, adjust Http2SmallWndTimeout where required, and recheck management-access bindings to limit exposure.




