Citrix on Tuesday released security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition.
The vulnerabilities are listed below -
Patches for the security defects have been released in the following versions -
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
The command to set this parameter is below -
set ns httpProfile <profile_name> -http2SmallWndTimeout <value_in_seconds>
Cisco credited Michael Tucker from the XOR team at JPMorgan Chase, Aliz Hammond of watchTowr, and Maxim Suhanov for reporting the vulnerabilities. There is no evidence that the issues have been exploited in the wild.
watchTowr Labs, in a technical write-up released alongside Citrix's bulletin, said CVE-2026-8451 was discovered and reported in late March 2026 after attempts to reproduce CVE-2026-3055 (CVSS score: 9.3), a separate insufficient input validation flaw that was disclosed earlier this year.
The cybersecurity company said the vulnerability stems from how NetScaler parses SAML authentication requests and shares the same root cause as the March 2026 flaw, resulting in out-of-bounds memory reads when sending malformed SAML requests.
"One thing we're keen to note: in contrast to the original CVE-2026-3055, in which kilobytes of binary data can be leaked, this overread will terminate the out-of-bounds read when various control characters are read, such as NULL (or even >)," security researcher Hammond said. "In practice, we found that by varying the request length, we could consistently squeeze a few bytes out of the server."
"However, what should be of concern is the bigger picture - the trend, which is very clearly suggesting that memory management continues to appear fragile within Citrix NetScaler appliances, to the extent that even accidentally misconfiguring an appliance can lead to the disclosure of leaked memory."
In recent years, Citrix appliances have been a lucrative attack target, with multiple flaws in its software exploited by threat actors for ransomware deployment in the past, making it crucial that users apply the patches for optimal protection.