Citrix published security bulletin CTX696604 on June 30, 2026, disclosing six vulnerabilities in NetScaler ADC and NetScaler Gateway. The most prominent, CVE-2026-8451, is a pre-authentication out-of-bounds memory read that occurs when the appliance is configured as a SAML Identity Provider — a configuration common in enterprise SSO architectures. Researchers at watchTowr, who discovered the vulnerability, have drawn explicit comparisons to the original CitrixBleed (CVE-2023-4966), which was exploited by ransomware groups including LockBit 3.0 in 2023 and 2024.

The six CVEs span memory overread, memory overflow, unauthenticated arbitrary file read, and denial-of-service. Together they paint a picture of deep memory safety issues in the NetScaler ADC codebase across multiple traffic-handling components. Affected versions are NetScaler ADC and Gateway 14.1 before 14.1-72.61 and 13.1 before 13.1-63.18. Citrix-managed cloud deployments have already been patched; only customer-managed appliances are affected.

If you manage NetScaler ADC or Gateway appliances on-premises or in hosted environments under your control, this bulletin requires immediate attention.

What the Vulnerabilities Are

CVE-2026-8451 (CVSS v4 8.8) — Pre-Auth Out-of-Bounds Memory Read via SAML IdP

When NetScaler ADC or Gateway is configured to act as a SAML Identity Provider (SAML IdP), an unauthenticated attacker can send a crafted SAML request that triggers an out-of-bounds read in memory. The result is a memory disclosure that can expose sensitive data from appliance memory to the attacker — comparable in mechanism to the original CitrixBleed vulnerability.

In the original CitrixBleed (CVE-2023-4966), memory disclosure from the Gateway AAA session token handler exposed active session tokens, allowing attackers to hijack authenticated VPN sessions without credentials. watchTowr researchers note that CVE-2026-8451 follows the same architectural pattern: a memory safety error in a pre-authentication handler that exposes heap or stack contents. The specific data accessible depends on what the appliance has in memory at the time of exploitation — session tokens, credentials, cryptographic material, or internal state are all plausible disclosure targets.

Discovered by watchTowr. No authentication required; exploitable via the network against any internet-facing NetScaler appliance configured as a SAML IdP.

CVE-2026-8452 (CVSS v4 8.8) — Memory Overflow via Gateway / AAA Virtual Server

A memory overflow vulnerability exploitable when NetScaler is configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server. Exploitation can result in unpredictable system behavior or service crashes (denial of service). The Gateway and AAA configurations are extremely common — nearly all NetScaler deployments use one or both. This CVE is relevant to the large majority of NetScaler deployments even if SAML IdP is not configured.

CVE-2026-8655 — Multiple Memory Overflow Vulnerabilities (Oracle LB, DNS Proxy, Recursive DNS)

A grouping of memory overflow vulnerabilities affecting Oracle load-balancing, DNS proxy, and recursive DNS handling components within NetScaler. These are distinct from CVE-2026-8452 and affect additional traffic-handling paths.

CVE-2026-10816 (CVSS 7.1) — Unauthenticated Arbitrary File Read via Management Interfaces

An unauthenticated attacker with access to the NetScaler management interface (NSIP, SNIP, or Cluster IPs) can read arbitrary files from the appliance filesystem. Management interface access should be restricted to trusted administrative networks; however, in environments where NSIPs are accessible from broader segments, this enables attackers to read configuration files, certificates, private keys, or credential stores from the appliance without authentication.

CVE-2026-10817 — Memory Overread via TCP Timestamp Handling

A memory overread triggered via TCP timestamp option handling. Details are limited in the advisory, but overreads in TCP option parsing have historically been exploitable for memory disclosure or, in some cases, remote code execution depending on the memory layout.

CVE-2026-13474 (CVSS 8.7) — Denial of Service via HTTP/2 Requests

A DoS vulnerability triggered by malformed or specifically crafted HTTP/2 requests. Notably, this vulnerability requires that Http2SmallWndTimeout be set to 30 seconds in the NetScaler configuration — a non-default but not uncommon tuning parameter. Appliances with this setting that handle HTTP/2 traffic can be crashed by an unauthenticated attacker, making this a targeted but real availability risk.

Why It Matters

The CitrixBleed comparison is not alarmism. watchTowr — a reputable offensive security research firm — explicitly framed CVE-2026-8451 in the context of CVE-2023-4966 (CitrixBleed). The original CitrixBleed was exploited by ransomware groups, nation-state actors, and cybercriminals for months after disclosure. LockBit 3.0, Medusa, Akira, and other ransomware groups weaponized it to steal session tokens and bypass authentication entirely. The same technique — memory disclosure from a pre-auth handler exposing sensitive data — applies to CVE-2026-8451 if session token data or authentication material appears in the disclosed memory region.

SAML IdP configuration is a high-value enterprise target. Organizations that have configured NetScaler as a SAML IdP are using it as the authentication gateway for SaaS applications, internal web apps, or federation services. Compromising memory from this component during the SAML authentication flow targets the highest-privilege authentication surface on the appliance.

Six CVEs in one bulletin indicates systemic memory safety debt. CVE-2026-8451, -8452, -8655, and -10817 are all memory safety failures (overread, overflow, overread). This pattern suggests that the affected code paths share architectural characteristics — possibly C/C++ code handling network-attacker-controlled input without adequate bounds checking. Where one memory safety flaw is found, others typically coexist.

Citrix NetScaler is internet-facing by design. NetScaler ADC and Gateway are edge appliances — they are the termination point for VPN, SSO, load-balanced web traffic, and application delivery. Unlike vulnerabilities in internal systems, NetScaler vulnerabilities are exploitable by any internet-based attacker who can reach the appliance without any prior foothold.

Customer-managed deployments are the at-risk population. Citrix's bulletin notes that Citrix-managed cloud services have already received patches. If you are not on Citrix-managed cloud — if you run physical NetScaler appliances, NetScaler VPX instances, or manage NetScaler in your own cloud environment — you must patch manually.

Am I Affected?

You are affected if you run NetScaler ADC or NetScaler Gateway at any of the following versions:

  • 14.1 before 14.1-72.61 — upgrade to 14.1-72.61 or later
  • 13.1 before 13.1-63.18 — upgrade to 13.1-63.18 or later

FIPS and NDcPP (Common Criteria) variants of these builds are also affected and have corresponding fixed builds listed in CTX696604.

To check your running NetScaler version:

# From the NetScaler CLI (SSH to NSIP):
show version
# Expected output includes: "NetScaler NS14.1: Build 14.1-XX.YY..."

Or from the NetScaler GUI: System → System Information → note the "NetScaler Version" and "Build" fields.

CVE-2026-8451 specifically affects configurations with SAML IdP enabled. To check:

  • GUI: Security → AAA → Virtual Servers — look for virtual servers with SAML IdP policy bindings
  • CLI: show authentication samlidppolicy — output indicates SAML IdP policies in use

CVE-2026-8452 affects Gateway and AAA virtual server configurations — extremely common in NetScaler deployments.

CVE-2026-10816 requires management interface exposure. Check whether your NSIP/SNIP/CLIP is accessible from networks other than your management VLAN.

What to Do About It: Step-by-Step

Step 1: Upgrade to the fixed build immediately.

Download fixed builds from Citrix Downloads. Apply to all appliances:

  • 14.1.x: Upgrade to 14.1-72.61 or later
  • 13.1.x: Upgrade to 13.1-63.18 or later

Follow Citrix's standard upgrade procedure for your deployment type (standalone, HA pair, cluster). For HA pairs, perform a rolling upgrade to maintain availability.

Step 2: Immediately restrict management interface access if not already done.

CVE-2026-10816 requires access to the management IP. Ensure your NSIP (and any SNIPs used for management) is accessible only from your management VLAN or jump server subnet. This should already be in place per Citrix's hardening guidance, but it is frequently left open in practice.

# Verify management IP access control:
show ns acl
# Ensure there are deny rules for management ports (SSH/22, HTTP/80, HTTPS/443) from untrusted sources to NSIP

Step 3: If CVE-2026-8451 is applicable (SAML IdP configured), treat session tokens as potentially compromised.

If your appliance was configured as a SAML IdP and was internet-accessible prior to patching, the memory disclosed via CVE-2026-8451 may have included active session data. As a precautionary measure:

  • Force re-authentication for all active sessions: from the CLI, kill aaa session -all clears AAA sessions
  • Rotate certificates used in your SAML IdP configuration (SP/IdP signing and encryption certificates)
  • Notify your security team to review IdP authentication logs for anomalous SSO authentication patterns from unfamiliar source IPs

Step 4: If using HTTP/2 with Http2SmallWndTimeout=30s, change the setting before patching as an interim measure.

For CVE-2026-13474: if you have set Http2SmallWndTimeout to 30 seconds via the set ns limit command, change it to a different value or remove the setting:

# Check current setting:
show ns limit Http2SmallWndTimeout
# If set to 30s, change it:
set ns limit Http2SmallWndTimeout 60
save config

Step 5: Review NetScaler logs for evidence of exploitation attempts.

Check /var/log/ns.log and /var/nslog/newnslog for unusual SAML authentication requests, abnormal memory fault messages, or unusual TCP option handling errors. Alert your SOC if you see successful SAML authentications from unexpected IP ranges, particularly in the 24–72 hours before patching.

Quick-Win Checklist

  • Confirmed NetScaler version on all appliances (14.1.x or 13.1.x)
  • Upgraded to 14.1-72.61 or 13.1-63.18 (or applied to HA pair with rolling upgrade)
  • Verified management interface (NSIP) is restricted to management VLAN only — deny rules in place
  • Assessed whether SAML IdP is configured (CVE-2026-8451 precondition)
  • Killed active AAA sessions and rotated SAML certificates if SAML IdP was enabled pre-patch
  • Checked Http2SmallWndTimeout setting and adjusted if set to 30s
  • Reviewed ns.log for anomalous pre-auth requests around SAML and Gateway handlers

Sources