Citrix Patches Multiple NetScaler Vulnerabilities, Including Arbitrary File Read and DoS Flaws
Citrix has released critical security updates for its **NetScaler ADC** and **NetScaler Gateway** products, addressing several vulnerabilities that could lead to arbitrary file reads or denial-of-service (DoS) conditions. IT security professionals and privacy-conscious users are urged to apply these patches immediately to mitigate potential risks.
On Tuesday, **Citrix** issued crucial security updates to address a suite of vulnerabilities affecting **NetScaler ADC** (formerly **Citrix ADC**) and **NetScaler Gateway** (formerly **Citrix Gateway**).
These flaws could be exploited by attackers to facilitate arbitrary file reads or trigger denial-of-service (DoS) conditions, underscoring the importance of prompt patching.

### Detailed Vulnerabilities
The identified vulnerabilities include:
* **CVE-2026-8451** (CVSS score: 8.8): An insufficient input validation vulnerability leading to memory overread when **NetScaler ADC** or **NetScaler Gateway** is configured as a **SAML IDP**.
* **CVE-2026-8452** (CVSS score: 8.8): A memory overflow vulnerability that can cause unpredictable behavior and denial-of-service when the appliance is configured as a Gateway or an **AAA** virtual server.
* **CVE-2026-8655** (CVSS score: 8.8): Multiple memory overflow vulnerabilities leading to unpredictable or erroneous behavior and denial-of-service when **NetScaler ADC** is configured as an **LB** of type Oracle, a **DNS Proxy**, or a **DNS** recursive resolver deployment.
* **CVE-2026-10816** (CVSS score: 7.7): An external control of the file name of the path vulnerability allowing unauthenticated, arbitrary file reads when access to **NSIP**, **Cluster Management IP**, or **SNIP** with management access is enabled.
* **CVE-2026-10817** (CVSS score: 6.9): An insufficient input validation vulnerability leading to memory overread when **TCP TimeStamp** is enabled in **TCP Profile** and associated with the virtual server (of type **LB**, **CS**, **VPN**) or the service configured on **NetScaler**.
* **CVE-2026-13474** (CVSS score: 8.7): A missing release of memory after effective lifetime vulnerability causing denial-of-service via malformed **HTTP/2** requests when **HTTP/2** is enabled in the **HTTP Profile** and associated with the virtual server (of type **LB**, **CS**, **VPN**) or the service configured on **NetScaler**.
### Patching and Configuration Guidance
Patches for these security defects have been released in the following versions:
* **NetScaler ADC** and **NetScaler Gateway** 14.1-72.61 and later releases
* **NetScaler ADC** and **NetScaler Gateway** 13.1-63.18 and later releases of 13.1
* **NetScaler ADC** 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
* **NetScaler ADC** 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
For **CVE-2026-13474**, customers are also advised to update their configurations by modifying the `Http2SmallWndTimeout` parameter, which controls the timeout (in seconds) for **HTTP/2** small-window stalled streams.
* For appliances using **HTTP Strict Profiles**, this parameter defaults to 30 seconds, and the fix is effective immediately after the upgrade.
* For appliances *not* using **HTTP Strict Profiles**, the default value is 0. In this scenario, merely upgrading will not fully address the vulnerability. Customers *must* manually set `Http2SmallWndTimeout` to 30 seconds.
The command to set this parameter is:
### Vulnerability Discovery and Context
**Citrix** credited **Michael Tucker** from the **XOR team** at **JPMorgan Chase**, **Aliz Hammond** of **watchTowr**, and **Maxim Suhanov** for reporting these vulnerabilities. There is currently no evidence that these issues have been exploited in the wild.
**watchTowr Labs**, in a technical write-up, revealed that **CVE-2026-8451** was discovered and reported in late March 2026. This discovery occurred during attempts to reproduce **CVE-2026-3055** (CVSS score: 9.3), a separate insufficient input validation flaw disclosed earlier this year.
The cybersecurity firm explained that **CVE-2026-8451** stems from how **NetScaler** parses **SAML** authentication requests and shares the same root cause as the March 2026 flaw, leading to out-of-bounds memory reads when sending malformed **SAML** requests.
"One thing we're keen to note: in contrast to the original **CVE-2026-3055**, in which kilobytes of binary data can be leaked, this overread will terminate the out-of-bounds read when various control characters are read, such as NULL (or even >)," security researcher **Hammond** stated. "In practice, we found that by varying the request length, we could consistently squeeze a few bytes out of the server."
**Hammond** further emphasized the broader concern: "However, what should be of concern is the bigger picture - the trend, which is very clearly suggesting that memory management continues to appear fragile within **Citrix NetScaler** appliances, to the extent that even accidentally misconfiguring an appliance can lead to the disclosure of leaked memory."
### A History of Targeting
**Citrix** appliances have historically been a lucrative target for threat actors, with multiple flaws in its software exploited for ransomware deployment. This history underscores the critical importance for users to apply these latest patches for optimal protection against potential exploits.