Ravie LakshmananJul 01, 2026Vulnerability / Enterprise Security
Citrix on Tuesday released security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition.
The vulnerabilities are listed below –
- CVE-2026-8451 (CVSS score: 8.8) – An insufficient input validation vulnerability leading to memory overread when NetScaler ADC or NetScaler Gateway is configured as a SAML IDP
- CVE-2026-8452 (CVSS score: 8.8) – A memory overflow vulnerability leading to unpredictable or erroneous behavior and denial-of-service when the appliance is configured as a Gateway or an AAA virtual server
- CVE-2026-8655 (CVSS score: 8.8) – Multiple memory overflow vulnerabilities leading to unpredictable or erroneous behavior and denial-of-service when NetScaler ADC is configured as an LB of type Oracle, a DNS Proxy, or a DNS recursive resolver deployment
- CVE-2026-10816 (CVSS score: 7.7) – An external control of the file name of the path vulnerability leading to unauthenticated, arbitrary file read when access to NSIP, Cluster Management IP, or SNIP with management access is enabled
- CVE-2026-10817 (CVSS score: 6.9) – An insufficient input validation vulnerability leading to memory overread when TCP TimeStamp is enabled in TCP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
- CVE-2026-13474 (CVSS score: 8.7) – A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions –
- NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
- NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams –
- For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds. The fix is effective immediately after the upgrade.
- For appliances NOT using HTTP Strict Profiles, the default value is 0. In this case, merely upgrading to the builds containing the fix will not address the vulnerability completely. Customers must manually set Http2SmallWndTimeout to 30 seconds.
The command to set this parameter is below –
set ns httpProfile-http2SmallWndTimeout
Cisco credited Michael Tucker from the XOR team at JPMorgan Chase, Aliz Hammond of watchTowr, and Maxim Suhanov for reporting the vulnerabilities. There is no evidence that the issues have been exploited in the wild.
watchTowr Labs, in a technical write-up released alongside Citrix’s bulletin, said CVE-2026-8451 was discovered and reported in late March 2026 after attempts to reproduce CVE-2026-3055 (CVSS score: 9.3), a separate insufficient input validation flaw that was disclosed earlier this year.
The cybersecurity company said the vulnerability stems from how NetScaler parses SAML authentication requests and shares the same root cause as the March 2026 flaw, resulting in out-of-bounds memory reads when sending malformed SAML requests.
“One thing we’re keen to note: in contrast to the original CVE-2026-3055, in which kilobytes of binary data can be leaked, this overread will terminate the out-of-bounds read when various control characters are read, such as NULL (or even >),” security researcher Hammond said. “In practice, we found that by varying the request length, we could consistently squeeze a few bytes out of the server.”
“However, what should be of concern is the bigger picture – the trend, which is very clearly suggesting that memory management continues to appear fragile within Citrix NetScaler appliances, to the extent that even accidentally misconfiguring an appliance can lead to the disclosure of leaked memory.”
In recent years, Citrix appliances have been a lucrative attack target, with multiple flaws in its software exploited by threat actors for ransomware deployment in the past, making it crucial that users apply the patches for optimal protection.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

