Six New NetScaler Vulnerabilities Demand Urgent Review and Response
Citrix has disclosed six new vulnerabilities impacting NetScaler Application Delivery Controller (ADC) and Gateway appliances. These issues, published under Citrix article CTX696604, introduce real risk to environments that haven’t been patched or properly reviewed. The vulnerabilities, tracked as CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, and CVE-2026-13474, can potentially allow memory overread, memory overflow, arbitrary file read, and denial-of-service conditions depending on how the appliance is configured.
As part of our ongoing Citrix expertise and customer support, the Alchemy team reviewed the vulnerabilities and what they mean in practice.
The Vulnerabilities
CVE-2026-8451 (CVSS 8.8)
Insufficient input validation on appliances configured as a SAML Identity Provider can allow an out-of-bounds memory read. This can expose sensitive memory contents on any appliance with a SAML IdP profile configured.
CVE-2026-8452 (CVSS 8.8)
A memory overflow condition affects appliances configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server. Exploitation can lead to unpredictable behavior and denial-of-service.
CVE-2026-8655 (CVSS 8.8)
Appliances configured as an Oracle-type load balancer, DNS proxy, or DNS recursive resolver are subject to a memory overflow condition, again resulting in service disruption.
CVE-2026-10816 (CVSS 7.1)
An unauthenticated, arbitrary file-read vulnerability. This one requires network access to a management interface, NSIP, SNIP, or Cluster Management IP, with management access enabled, and can expose sensitive configuration files or system data.
CVE-2026-10817 (CVSS 6.9)
A memory overread condition tied to TCP Timestamps. Any appliance with Timestamp enabled in a TCP profile bound to a virtual server is exposed.
CVE-2026-13474 (CVSS 8.7)
A missing memory release condition on virtual servers with HTTP/2 enabled. Specially crafted, malformed HTTP/2 requests can stall small-window streams and exhaust system resources, leading to denial-of-service.
Several of these CVEs carry high CVSS scores and are exploitable simply by having certain features configured, not by any misconfiguration on the customer’s part. They require fast attention, even if no confirmed active exploitation has yet occurred.
What Alchemy Recommends
1. Confirm your current NetScaler version
If you’re running builds before the following, your systems are at risk:
- NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-72.61
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-63.18
- NetScaler ADC FIPS BEFORE 14.1-72.61 FIPS
- NetScaler ADC FIPS and NDcPP BEFORE 13.1-37.272
Note: The vulnerabilities also affect Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances. To address the vulnerabilities, customers must upgrade these NetScaler instances to the recommended builds.
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group has already patched the Citrix-managed cloud services and Adaptive Authentication platforms, so no action is needed there.
2. Identify which of the six CVEs actually apply to you
Not every CVE in this bulletin applies to every appliance. Exposure depends on how each ADC or Gateway is configured. Before or after patching, search your running configuration for the following, since each maps to a specific CVE:
- add authentication samlIdPProfile (SAML IdP, CVE-2026-8451)
- add vpn vserver or add authentication vserver (Gateway/AAA, CVE-2026-8452)
- Oracle-type load balancing or content switching vservers, or DNS proxy/recursive resolver entries (CVE-2026-8655)
- TimeStamp ENABLED in any bound TCP profile (CVE-2026-10817)
- -http2 ENABLED on any HTTP profile, including the default nshttp_default_profile (CVE-2026-13474)
This gives you a precise picture of exposure instead of treating every appliance as equally at risk.
3. Upgrade to a secure build immediately
Move to 14.1-72.61, 13.1-63.18, 14.1-72.61 FIPS, or 13.1-37.272 (FIPS/NDcPP), as applicable to your platform.
4. Configure the HTTP/2 timeout parameter
CVE-2026-13474 needs one extra step beyond the upgrade. Set the new Http2SmallWndTimeout parameter, which governs how long a stalled HTTP/2 small-window stream is allowed to sit before it’s cleaned up. Appliances already running an HTTP Strict Profile default to 30 seconds post-upgrade and are automatically protected. Everyone else should set this explicitly rather than assume the default covers them.
5. Lock down access to the management interfaces
No management IP (NSIP, SNIP, Cluster Management IP) should be reachable from untrusted networks, particularly given the file-read path in CVE-2026-10816. Use network segmentation and ACLs to limit access to trusted admin networks only.
6. Don’t delay migration planning
If you’re on an older or unsupported build outside the versions above, delaying migration planning is not an option. These vulnerabilities are exploitable through common, everyday configurations like SAML authentication and HTTP/2, not edge cases. The longer you wait, the more exposed your environment stays.
Need help assessing your risk or scheduling an upgrade?
If you’re unsure whether your NetScaler configuration is secure or which of these six CVEs apply to your environment, now is the time to find out. Alchemy’s NetScaler Health Check goes beyond patching; we assess system hardening, configuration drift, and gateway exposure to give you precise, prioritized action steps. Whether you need fast remediation or a complete upgrade plan, our team is ready to help.
Author