Citrix Patches 6 High-Severity NetScaler ADC & Gateway Flaws
Citrix has issued a critical security bulletin addressing multiple high-severity vulnerabilities in NetScaler ADC and NetScaler Gateway that could allow attackers to trigger memory overreads, arbitrary file access, and denial-of-service (DoS) conditions across affected deployments.
The flaws affect widely deployed enterprise networking and remote access infrastructure, raising significant concerns for organizations that rely on these appliances for secure connectivity.
The vulnerabilities are tracked as CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, and CVE-2026-13474.
Citrix Fixes Critical NetScaler ADC, Gateway Flaws
According to advisory CTX696604, the flaws affect NetScaler ADC and Gateway versions 14.1 before 14.1-72.61 and 13.1 before 13.1-63.18, including FIPS and NDcPP variants. Secure Private Access Hybrid deployments using NetScaler instances are also affected.
Citrix clarified that only customer-managed deployments are impacted, while Citrix-managed cloud services have already been patched.
The most critical issues stem from improper input validation and memory handling errors.
- CVE-2026-8451 (CVSS v4 8.8): Out-of-bounds read (CWE-125) leading to a memory overread when NetScaler is configured as a SAML Identity Provider, potentially exposing authentication-related data.
- CVE-2026-10817: Memory overread tied to TCP timestamp handling when enabled in TCP profiles associated with virtual servers.
- CVE-2026-8452 (CVSS 8.8): Memory overflow (CWE-119) leading to unpredictable behavior or service crashes; exploitable when NetScaler is configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server, making it especially dangerous for remote access environments.
- CVE-2026-8655: Multiple memory overflow vulnerabilities affecting Oracle load balancing, DNS proxy, and recursive DNS resolver configurations.
In addition to the memory corruption flaws, Citrix disclosed CVE-2026-10816, an unauthenticated arbitrary file read vulnerability with a CVSS score of 7.1.
This issue can be exploited when attackers have access to management interfaces such as NSIP, SNIP, or Cluster Management IP with management access enabled, potentially exposing sensitive configuration files or system data.
A separate high-severity flaw, CVE-2026-13474, with a CVSS score of 8.7, allows attackers to trigger denial-of-service conditions via specially crafted HTTP/2 requests.
This vulnerability arises due to improper memory handling (CWE-401) when HTTP/2 is enabled in HTTP profiles, and successful exploitation can disrupt services by exhausting system resources through stalled streams.
Citrix has urged customers to immediately upgrade to patched versions, specifically NetScaler ADC and Gateway 14.1-72.61 and 13.1-63.18 or later, with corresponding updated builds also released for FIPS and NDcPP deployments.
Notably, mitigating CVE-2026-13474 requires additional configuration changes in addition to patching. Administrators must set the newly introduced Http2SmallWndTimeout parameter to 30 seconds, especially in environments that do not use HTTP Strict Profiles, where the default value of 0 does not fully mitigate the issue.
Security teams are advised to review their configurations to determine potential exposure. Environments that use SAML IdP profiles, enable TCP timestamps, or configure HTTP/2 in default or custom HTTP profiles are particularly at risk.
Organizations should also audit DNS and Oracle load-balancing configurations, as well as management interface access controls, which may serve as prerequisites for exploitation.
Given NetScaler’s central role in remote access and authentication infrastructure, delayed patching leaves a broad attack surface exposed, making prompt action a priority for affected organizations.
No Comment! Be the first one.