Full Report
AL26-006 - Vulnerability impacting Citrix NetScaler ADC and NetScaler Gateway - CVE-2026-3055
Analysis Summary
# Vulnerability: Citrix NetScaler Memory Overread in SAML IdP Configurations
## CVE Details
- **CVE ID:** CVE-2026-3055
- **CVSS Score:** Critical (Base score not explicitly provided in article, but categorized as critical by CCCS)
- **CWE:** CWE-125 (Out-of-bounds Read)
## Affected Systems
- **Products:**
- NetScaler ADC (formerly Citrix ADC)
- NetScaler Gateway (formerly Citrix Gateway)
- **Versions:**
- 14.1 prior to 14.1-60.58
- 13.1 prior to 13.1-62.23
- 13.1-FIPS prior to 13.1-37.262
- 13.1-NDcPP prior to 13.1-37.262
- **Configurations:** The appliance must be configured as a **SAML Identity Provider (IdP)**.
## Vulnerability Description
CVE-2026-3055 is an insufficient input validation vulnerability that results in a memory overread. Technically, when the appliance is acting as a SAML IdP, it fails to properly validate incoming requests, allowing a remote, unauthenticated attacker to trigger an out-of-bounds read. This flaw enables the attacker to leak sensitive information directly from the device's memory.
## Exploitation
- **Status:** **Exploited in the wild** (Reporting indicates active exploitation since March 27, 2026).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Access to sensitive information stored in process memory).
- **Integrity:** None reported.
- **Availability:** None reported (though memory leaks can occasionally lead to process instability).
## Remediation
### Patches
Organizations should upgrade to the following versions or later:
- **NetScaler ADC / Gateway 14.1:** 14.1-60.58
- **NetScaler ADC / Gateway 13.1:** 13.1-62.23
- **NetScaler ADC 13.1-FIPS:** 13.1-37.262
- **NetScaler ADC 13.1-NDcPP:** 13.1-37.262
*Note: Citrix-managed cloud services have already been updated by the vendor.*
### Workarounds
No specific configuration workarounds were provided in the alert; immediate patching is recommended. If patching is delayed, organizations should consider disabling SAML IdP features if they are not critically required.
## Detection
### Indicators of Compromise
- Monitor for unusual SAML request patterns or unauthorized access attempts.
- Review logs for evidence of memory scraping or unexpected outbound data movement.
### Detection methods and tools
- **Evidence Preservation:** If compromise is suspected, do **not** power off the machine to preserve volatile memory traces.
- **Network Isolation:** Isolate suspected appliances from both the internet and internal segments.
- **Audit:** Examine all downstream servers and systems connected to the NetScaler for signs of credential misuse or lateral movement.
## References
- Vendor Advisory: hxxps[://]support[.]citrix[.]com/external/article/CTX696300/netscaler-adc-and-netscaler-gateway-secu[.]html
- CCCS Alert: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/al26-006-vulnerability-impacting-citrix-netscaler-adc-netscaler-gateway-cve-2026-3055
- NVD Detail: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-3055
- Incident Response Guide: hxxps[://]support[.]citrix[.]com/support-home/kbsearch/article?articleNumber=CTX694799