Citrix Releases Patches for Six Critical NetScaler Vulnerabilities

Citrix has issued security updates to address six vulnerabilities in its NetScaler ADC and NetScaler Gateway products. These flaws could allow attackers to perform arbitrary file reads or cause denial-of-service (DoS) conditions.

The identified vulnerabilities are:

  • CVE-2026-8451 (CVSS score: 8.8): Insufficient input validation leading to memory overread when NetScaler is configured as a SAML Identity Provider (IDP).
  • CVE-2026-8452 (CVSS score: 8.8): Memory overflow vulnerability causing unpredictable behavior and potential DoS when the appliance is set up as a Gateway or an AAA virtual server.
  • CVE-2026-8655 (CVSS score: 8.8): Multiple memory overflow issues leading to erratic behavior and DoS in configurations such as Oracle load balancing, DNS Proxy, or DNS recursive resolver deployments.
  • CVE-2026-10816 (CVSS score: 7.7): External control of file name/path vulnerability allowing unauthenticated arbitrary file reads when access to NSIP, Cluster Management IP, or SNIP with management access is enabled.
  • CVE-2026-10817 (CVSS score: 6.9): Insufficient input validation causing memory overread when TCP TimeStamp is enabled in a TCP Profile associated with virtual servers or services.
  • CVE-2026-13474 (CVSS score: 8.7): Memory release issue leading to DoS via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile associated with virtual servers or services.

Citrix has released patches in the following versions:

  • NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
  • NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
  • NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP

For CVE-2026-13474, customers should also adjust the Http2SmallWndTimeout parameter, which controls the timeout for HTTP/2 small-window stalled streams. Appliances using HTTP Strict Profiles have this parameter set to 30 seconds by default, making the fix effective immediately after the upgrade. For appliances not using HTTP Strict Profiles, the default value is 0. In such cases, upgrading alone won’t fully address the vulnerability; customers must manually set Http2SmallWndTimeout to 30 seconds using the following command:

set ns httpProfile <profile_name> -http2SmallWndTimeout <value_in_seconds>

Citrix has acknowledged contributions from Michael Tucker of JPMorgan Chase’s XOR team, Aliz Hammond of watchTowr, and researcher Maxim Suhanov for reporting these vulnerabilities. Currently, there is no evidence of these issues being exploited in the wild.

Notably, watchTowr Labs discovered CVE-2026-8451 in late March 2026 while attempting to reproduce CVE-2026-3055, another input validation flaw disclosed earlier this year. The vulnerability arises from how NetScaler parses SAML authentication requests, leading to out-of-bounds memory reads when processing malformed SAML requests.

Given the critical nature of these vulnerabilities and the role of NetScaler appliances in enterprise environments, it’s imperative for organizations to apply these patches promptly. Delaying updates could expose systems to potential attacks, compromising sensitive data and disrupting services.