Critical Memory‑Overread & Race‑Condition Flaws (CVE‑2026‑3055 & CVE‑2026‑4368) in Citrix NetScaler ADC & Gateway Prompt Immediate Patch
What Happened – Citrix released patches for two high‑severity vulnerabilities affecting NetScaler ADC appliances and NetScaler Gateway. CVE‑2026‑3055 is a memory‑overread caused by insufficient input validation that can expose session tokens; CVE‑2026‑4368 is a race‑condition that may cause session mix‑ups.
Why It Matters for TPRM –
- The flaws affect core networking and remote‑access services used by dozens of third‑party vendors.
- Exploitation could give attackers unauthenticated access to authentication tokens, enabling lateral movement into downstream SaaS or on‑premise environments.
- Over 30 k ADC instances and 2 k+ Gateway devices are known to be exposed, indicating a large attack surface across multiple industries.
Who Is Affected – Enterprises relying on Citrix NetScaler ADC (versions 13.1, 14.1) and NetScaler Gateway for secure remote access, spanning finance, healthcare, government, and cloud service providers.
Recommended Actions –
- Verify inventory of NetScaler ADC/Gateway assets and their firmware versions.
- Apply the Citrix‑provided patches (13.1‑62.23, 14.1‑66.59, etc.) immediately.
- Conduct post‑patch validation to confirm remediation and monitor for anomalous session activity.
Technical Notes –
- CVE‑2026‑3055: Input‑validation error → memory overread → potential theft of SAML tokens when NetScaler acts as an IDP.
- CVE‑2026‑4368: Low‑privilege race condition → session mix‑ups on SSL VPN, ICA Proxy, CVPN, RDP proxy.
- Both vulnerabilities are classified as Critical (CVSS ≈ 9.8). No public exploits yet, but similarity to “CitrixBleed” series suggests rapid weaponisation.
Source: BleepingComputer