DOwoRO rKeXIYBntwu Dldc

Critical Security Advisory: High-Severity Memory and Access Vulnerabilities in Citrix NetScaler ADC and Gateway

Citrix has issued an urgent security bulletin targeting a cluster of high-severity vulnerabilities discovered within its NetScaler ADC and NetScaler Gateway ecosystems. These flaws represent a significant risk to enterprise perimeter security, as they provide potential pathways for memory overreads, unauthorized arbitrary file access, and localized Denial-of-Service (DoS) conditions.

The vulnerabilities are tracked under several identifiers, including CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, and CVE-2026-13474. Because NetScaler appliances often sit at the edge of the network to manage remote access and application delivery, these vulnerabilities could allow attackers to pivot from the perimeter into more sensitive internal segments.

Technical Breakdown of the Vulnerabilities

According to the official Citrix advisory (CTX696604), the affected versions include NetScaler ADC and Gateway 14.1 (prior to 14.1-72.61) and 13.1 (prior to 13.1-63.18). This includes FIPS and NDcPP validated variants. While Citrix-managed cloud services have been patched, organizations running customer-managed on-premises or cloud-hosted instances must take immediate action.

Memory Corruption and Information Disclosure

A significant portion of these flaws stems from improper input validation and memory management errors:

  • CVE-2026-8451 (CVSS v4: 8.8): An out-of-bounds read (CWE-125) vulnerability. When the appliance is configured as a SAML Identity Provider (IdP), an attacker may trigger a memory overread, potentially leaking sensitive data from the system’s memory, including authentication tokens or session information.
  • CVE-2026-10817: A similar memory overread issue triggered by how the system handles TCP timestamps when enabled within TCP profiles associated with virtual servers.
  • CVE-2026-8452 (CVSS: 8.8): A memory overflow (CWE-119) that can lead to system instability or service crashes. This is particularly critical for environments utilizing NetScaler as a Gateway (SSL VPN, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server.
  • CVE-2026-8655: This expands the attack surface to include specialized configurations such as Oracle load balancing, DNS proxy, and recursive DNS resolver deployments, all of which are susceptible to memory overflow.

Unauthorized File Access and Denial of Service

Beyond memory corruption, two other vulnerabilities present distinct operational risks:

  • CVE-2026-10816 (CVSS: 7.1): An unauthenticated arbitrary-file-read vulnerability. If an attacker can reach management interfaces—such as the NSIP, SNIP, or Cluster Management IP—they may be able to exfiltrate sensitive configuration files or system-level data.
  • CVE-2026-13474 (CVSS: 8.7): A Denial-of-Service vulnerability stemming from improper memory handling (CWE-401) during HTTP/2 processing. By sending specially crafted HTTP/2 requests, an attacker can exhaust system resources via stalled streams, effectively taking the service offline.

Remediation and Hardening Requirements

Citrix strongly recommends that administrators prioritize upgrading to NetScaler ADC and Gateway 14.1-72.61, 13.1-63.18, or later. For those utilizing FIPS or NDcPP builds, please ensure you deploy the specific corresponding updated builds.

Important: Mitigation for CVE-2026-13474
Patching alone may not fully resolve the HTTP/2 DoS risk in all environments. Administrators must manually adjust configuration parameters. Specifically, you must set the Http2SmallWndTimeout parameter to 30 seconds. This is especially vital in environments that do not use HTTP Strict Profiles, as the default value (0) does not provide adequate protection against resource exhaustion.

Security Audit Checklist

To minimize your exposure, security teams should audit the following configurations:

  • Verify if SAML IdP profiles are active (Risk: CVE-2026-8451).
  • Check for enabled TCP timestamps in virtual server profiles (Risk: CVE-2026-10817).
  • Review DNS, Oracle load-balancing, and HTTP/2 configurations (Risk: CVE-2026-8655 / CVE-2026-13474).
  • Ensure management interfaces (NSIP/SNIP) are strictly isolated and not exposed to untrusted networks (Risk: CVE-2026-10816).

These vulnerabilities were responsibly disclosed by researchers from the JPMorgan Chase XOR team, watchTowr, and Maxim Suhanov. Given the role NetScaler plays in modern enterprise architecture, immediate patching is the most effective way to prevent these flaws from being leveraged for initial access or service disruption.

Related Articles

Back to top button