Full Report
Citrix published a security bulletin Tuesday disclosing six vulnerabilities in NetScaler ADC and NetScaler Gateway appliances, including a high-severity memory disclosure flaw that researchers say belongs to a vulnerability class first identified in the 2023 incident known as CitrixBleed. The company rated the overall bulletin severity as high and assigned CVSS scores ranging from 6.9 […] The post Citrix patches a new NetScaler flaw with echoes of CitrixBleed appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Critical Memory Disclosure and DoS in Citrix NetScaler
## CVE Details
- **CVE ID:** CVE-2026-8451 (Primary focus), plus five additional CVEs.
- **CVSS Score:** 6.9 to 8.8 (High)
- **CWE:** CWE-125 (Out-of-bounds Read) / CWE-119 (Memory Corruption)
## Affected Systems
- **Products:** NetScaler ADC and NetScaler Gateway appliances.
- **Versions:** All versions prior to the June 2026 security builds.
- **Configurations:**
- **CVE-2026-8451:** Specifically affects appliances configured as a **SAML Identity Provider (IdP)**.
- **General:** Systems with management access exposed or those utilizing TCP timestamping and HTTP/2.
## Vulnerability Description
The primary vulnerability (CVE-2026-8451) is a pre-authentication memory overread flaw. It stems from how the NetScaler parses SAML authentication requests. Attackers can send malformed SAML requests to the authentication endpoints, triggering an out-of-bounds memory read. This flaw is technically similar to "CitrixBleed" and CVE-2026-3055, highlighting a recurring pattern of fragile memory management in NetScaler's SAML processing logic.
The accompanying five vulnerabilities include:
- Two memory overflow conditions (Denial of Service).
- Unauthenticated arbitrary file read (via management interface).
- Memory overread via TCP timestamp handling.
- HTTP/2 malformed request handling (Denial of Service).
## Exploitation
- **Status:** PoC described by researchers (watchTowr); no confirmed exploitation in the wild at the time of disclosure. Note: Similar previous flaws (CVE-2026-3055) were exploited within days.
- **Complexity:** Low to Medium.
- **Attack Vector:** Network (Remote/Unauthenticated).
## Impact
- **Confidentiality:** High (Leaking of sensitive session data or system memory).
- **Integrity:** None reported for the primary CVEs.
- **Availability:** High (Multiple DoS conditions identified).
## Remediation
### Patches
Citrix has released updated builds for NetScaler ADC and NetScaler Gateway. Administrators should upgrade to the following versions (or higher) as specified in bulletin CTX696604:
- NetScaler ADC/Gateway 14.1
- NetScaler ADC/Gateway 13.1
- NetScaler ADC/Gateway 13.0
### Workarounds
- **Configuration Change (Required for HTTP/2 DoS):** Even after patching, administrators must manually adjust a specific timeout parameter to mitigate the HTTP/2 DoS condition, as the default value remains vulnerable.
- **Network Hardening:** Ensure management interfaces (NSIP) are not exposed to the public internet to mitigate arbitrary file read risks.
## Detection
- **Indicators of Compromise:** Monitor for unusual SAML request patterns or malformed HTTP/2 headers directed at the appliance.
- **Detection methods:** Review system logs for crashes in the `auth` subsystem or unexpected reboots of the NetScaler Packet Processing Engine (PPE).
## References
- Citrix Security Bulletin: [https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604]
- watchTowr Technical Analysis: [https://labs.watchtowr.com/citrixbleed-to-infinity-and-beyond-citrix-netscaler-pre-auth-memory-overread-cve-2026-8451/]
- NVD Listing: [https://nvd.nist.gov/vuln/detail/CVE-2026-8451]