Citrix Critical Update: NetScaler Vulnerabilities Fixed Enabling File Leakage and Service Disruption
Citrix has issued critical fixes for six NetScaler vulnerabilities that could lead to arbitrary file reads, memory disclosure, and denial-of-service attacks. As internet-facing appliances, NetScaler deployments remain attractive targets for threat actors seeking initial access to enterprise networks.
Summary
Citrix has released critical security updates for NetScaler ADC and NetScaler Gateway, addressing six vulnerabilities that could enable arbitrary file reads and denial-of-service (DoS) conditions. Among these flaws is a CitrixBleed-style memory overread vulnerability that raises serious concerns around sensitive memory disclosure and session data leakage. From a threat intelligence perspective, these issues reinforce the ongoing risk associated with edge security appliances that remain exposed to the internet and frequently targeted by advanced threat actors.
One of the vulnerabilities follows a CitrixBleed-style memory overread pattern, drawing attention due to its similarity to previously exploited NetScaler weaknesses. Edge appliances such as NetScaler are frequently targeted because they serve as internet-facing gateways that provide secure remote access, application delivery, and traffic management for enterprise environments. Given their strategic position within network infrastructure, organizations should treat these vulnerabilities as high priority, promptly apply the latest security updates, restrict unnecessary exposure of management interfaces, and continuously monitor for signs of suspicious activity.
Vulnerability Details
| CVE ID | CVSS Score | EPSS Score | Vulnerability Type |
|---|---|---|---|
| CVE-2026-8451 | 7.5 (High) | 0.53% | Insufficient input validation |
| CVE-2026-8452 | 9.8 (Critical) | 0.40% | Memory overflow vulnerability |
| CVE-2026-8655 | 9.8 (Critical) | 0.38% | Multiple Memory overflow vulnerability |
| CVE-2026-10816 | 7.1 (High) | 0.22% | Arbitrary File Read |
| CVE-2026-10817 | 6.9 (Medium) | 0.40% | Insufficient input validation |
| CVE-2026-13474 | 8.7 (High) | 0.38% | Denial of service |
Root Cause Analysis
These vulnerabilities stem from systemic weaknesses in input validation and memory management within NetScaler processing pipelines. In particular, unsafe parsing of SAML XML payloads, improper buffer boundary checks, and inefficient memory lifecycle handling contribute to exploitable conditions such as out-of-bounds reads and resource exhaustion.
The CitrixBleed-style issue (CVE-2026-8451) demonstrates how insufficient validation in authentication flows can result in unintended memory disclosure, potentially exposing session tokens, credentials, and cryptographic material.
Affected Versions
- NetScaler ADC and NetScaler Gateway versions prior to 14.1-72.61
- NetScaler ADC and Gateway 13.1 versions prior to 13.1-63.18
- NetScaler ADC 14.1-FIPS builds prior to 14.1-72.61 FIPS
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP prior to 13.1-37.272
Impact
Successful exploitation of these vulnerabilities could allow unauthenticated attackers to access sensitive files, extract in-memory secrets, or trigger service disruptions. In worst-case scenarios, memory disclosure vulnerabilities may be chained with additional weaknesses to achieve deeper system compromise.
- 1. Arbitrary file read leading to configuration and credential exposure
- 2. Memory overread resulting in session token leakage
- 3. Denial-of-service through resource exhaustion or HTTP/2 abuse
- 4. Potential chaining toward remote code execution in complex attack scenarios
- 1. NetScaler ADC and NetScaler Gateway 14.1.x: Upgrade to 14.1-72.61 or later.
- 2. NetScaler ADC and NetScaler Gateway 13.1.x: Upgrade to 13.1-63.18 or later.
- 3. NetScaler ADC 14.1-FIPS: Upgrade to 14.1-72.61 FIPS or later.
- 4. NetScaler ADC 13.1-FIPS and 13.1-NDcPP: Upgrade to 13.1-37.272 or later.
MITRE ATT&CK Mapping
| Technique ID | Technique Name | Tactic |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Initial Access (TA0001) |
| T1005 | Data from Local System | Collection (TA0009) |
| T1499 | Endpoint Denial of Service | Impact (TA0040) |
| T1498 | Network Denial of Service | Impact (TA0040) |
Mitigation
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.


