Full Report
Citrix on Tuesday released security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition. The vulnerabilities are listed below - CVE-2026-8451 (CVSS score: 8.8) - An insufficient input validation
Analysis Summary
# Vulnerability: Multiple NetScaler Flaws (File Read and DoS)
## CVE Details
- **CVE ID:** CVE-2026-8451 (Primary focus), CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, CVE-2026-13474
- **CVSS Score:** 8.8 (High) for CVE-2026-8451
- **CWE:** Insufficient Input Validation (Memory Overread)
## Affected Systems
- **Products:** NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway)
- **Versions:**
- NetScaler ADC and Gateway: Versions prior to 14.1-72.61 and 13.1-63.18
- NetScaler ADC FIPS: Versions prior to 14.1-72.61 FIPS and 13.1.37.272
- **Configurations:**
- **CVE-2026-8451:** Specifically when configured as a **SAML Identity Provider (IdP)**.
- **CVE-2026-10816:** When access to NSIP, Cluster Management IP, or SNIP with management access is enabled.
- **CVE-2026-13474:** When HTTP/2 is enabled in the HTTP Profile.
## Vulnerability Description
CVE-2026-8451 is an insufficient input validation vulnerability that occurs when the appliance parses SAML authentication requests. It leads to an out-of-bounds memory overread. While similar to the earlier CVE-2026-3055, this specific flaw terminates the read when certain control characters (like NULL) are encountered, limiting the leak to a few bytes at a time rather than kilobytes. Other addressed flaws include memory overflows (DoS), unauthenticated arbitrary file reads (via path traversal), and memory leaks from malformed HTTP/2 requests.
## Exploitation
- **Status:** Not exploited in the wild (as of report date).
- **Complexity:** Medium (squeezing specific bytes requires varying request lengths).
- **Attack Vector:** Network (Remote).
- **PoC Availability:** Technical write-up/analysis available from watchTowr Labs.
## Impact
- **Confidentiality:** High (Potential for sensitive memory disclosure and arbitrary file reads).
- **Integrity:** None.
- **Availability:** High (Multiple flaws can trigger unpredictable behavior or DoS).
## Remediation
### Patches
Update to the following versions or later:
- NetScaler ADC / Gateway: **14.1-72.61**
- NetScaler ADC / Gateway: **13.1-63.18**
- NetScaler ADC 14.1-FIPS: **14.1-72.61 FIPS**
- NetScaler ADC 13.1-FIPS / NDcPP: **13.1.37.272**
### Workarounds
- **For CVE-2026-13474 (HTTP/2 DoS):** If not using HTTP Strict Profiles, the upgrade alone is insufficient. You must manually set the timeout:
- Command: `set ns httpProfile <profile_name> -http2SmallWndTimeout 30`
- **General Access:** Restrict access to management interfaces (NSIP, SNIP with management access) to trusted internal networks only.
## Detection
- **Indicators of Compromise:** Monitor for malformed SAML requests or unusual HTTP/2 traffic patterns (small-window stalled streams).
- **Detection methods:** Audit NetScaler logs for unexpected appliance reboots or crashes (indicative of DoS attempts).
## References
- **Vendor Advisory:** hxxps[://]support[.]citrix[.]com/support-home/kbsearch/article?articleNumber=CTX696604
- **Researcher Analysis:** hxxps[://]labs[.]watchtowr[.]com/citrixbleed-to-infinity-and-beyond-citrix-netscaler-pre-auth-memory-overread-cve-2026-8451/
- **News Source:** hxxps[://]thehackernews[.]com/2026/07/citrix-patches-six-netscaler-flaws.html