Full Report
Citrix has patched two NetScaler ADC and NetScaler Gateway vulnerabilities, one of which is very similar to the CitrixBleed and CitrixBleed2 flaws exploited in zero-day attacks in recent years. [...]
Analysis Summary
# Vulnerability: Citrix NetScaler memory overread and session mix-up
## CVE Details
- **CVE ID:** CVE-2026-3055
- **CVSS Score:** Critical (Exact score pending, described as a "critical security bug")
- **CWE:** CWE-125 (Out-of-bounds Read) / Insufficient Input Validation
- **CVE ID:** CVE-2026-4368
- **CVSS Score:** Medium (Noted as low-complexity but requiring low privileges)
- **CWE:** CWE-362 (Race Condition)
## Affected Systems
- **Products:** NetScaler ADC and NetScaler Gateway
- **Versions:**
- 13.1 (Prior to 13.1-62.23)
- 14.1 (Prior to 14.1-66.59)
- 13.1-FIPS (Prior to 13.1-37.262)
- 13.1-NDcPP (Prior to 13.1-37.262)
- **Configurations:**
- **CVE-2026-3055:** Appliance must be configured as a SAML Identity Provider (IdP).
- **CVE-2026-4368:** Appliance must be configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP proxy) or AAA virtual server.
## Vulnerability Description
**CVE-2026-3055:** This is a memory overread vulnerability (similar in nature to "CitrixBleed") resulting from insufficient input validation. It allows an unauthenticated remote attacker to trigger a memory leak, potentially exposing sensitive session tokens or other system memory contents.
**CVE-2026-4368:** This flaw involves a race condition. It allows an authenticated user with low privileges to trigger an event that leads to "user session mix-ups," where a user may inadvertently gain access to another user's active session.
## Exploitation
- **Status:** Not currently exploited in the wild (identified internally by Citrix); however, security researchers expect rapid reverse-engineering of the patch.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Potential theft of session tokens and sensitive memory data)
- **Integrity:** Medium (Potential session hijacking through session mix-ups)
- **Availability:** Low
## Remediation
### Patches
Citrix strongly urges upgrading to the following versions or higher:
- NetScaler ADC and NetScaler Gateway **14.1-66.59**
- NetScaler ADC and NetScaler Gateway **13.1-62.23**
- NetScaler ADC 13.1-FIPS **13.1-37.262**
- NetScaler ADC 13.1-NDcPP **13.1-37.262**
### Workarounds
No specific configuration workarounds are provided other than patching. Organizations not using the SAML IdP or Gateway features may be at lower risk but are still advised to update.
## Detection
- **Indicators of Compromise:** Admins should look for unusual SAML request patterns or unexpected session termination/clashes.
- **Detection methods and tools:** NetScaler Console service offers guided remediation and identification of vulnerable instances.
## References
- [Vendor Advisory (Citrix)] hxxps://support[.]citrix[.]com/support-home/kbsearch/article?articleNumber=CTX696300&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2026_3055_and_CVE_2026_4368
- [Rapid7 Analysis] hxxps://www[.]rapid7[.]com/blog/post/etr-cve-2026-3055-citrix-netscaler-adc-and-netscaler-gateway-out-of-bounds-read/
- [Citrix Remediation Guidance] hxxps://docs[.]netscaler[.]com/en-us/netscaler-console-service/instance-advisory/remediate-vulnerabilities-cve-2026-3055