CoreLayer Logo

NetScaler Security Bulletin

CVE-2026-8451 / CVE-2026-8452 / CVE-2026-8655 / CVE-2026-10816 / CVE-2026-10817 / CVE-2026-13474

*** HIGH ***


Quick links


Upgrade information

Check your NetScaler version information.
If the version is lower than the version listed below, please upgrade!!

  • NetScaler ADC and NetScaler Gateway 14.1-72.61
  • NetScaler ADC and NetScaler Gateway 13.1-63.18
  • NetScaler ADC 13.1-FIPS 13.1-37.272-FIPS
  • NetScaler ADC 13.1-NDcPP 13.1-37.272-NDcPP

Details

CVE-2026-8452 - Score 8.8/10

Pre-Conditions

If you use any of the following features, you are impacted by this vulnerability!

  • NetScaler Gateway - VPN virtual server
  • NetScaler Gateway - ICA Proxy
  • NetScaler Gateway - CVPN
  • NetScaler Gateway - RDP Proxy
  • NetScaler AAA (Authentication, Authorization, Auditing)
Description

Multiple memory overflow vulnerabilities leading to unpredictable or erroneous behavior and denial-of-service.

CWE-119:

  • Improper restriction of operations within the bounds of a memory buffer

CVE-2026-8451 - Score 8.8/10

Pre-Conditiions

Citrix ADC or Citrix Gateway must be configured as a SAML IDP

Description

Insufficient input validation leading to memory overread

CWE-125:

  • Out-of-bounds read

CVE-2026-8655 - Score 8.8/10

Pre-Conditions

Citrix ADC must be configured as either one of the following:

  • LB vserver of type "Oracle"
  • DNS Proxy
  • DNS recursive resolver
Description

Multiple memory overflow vulnerabilities leading to unpredictable or erroneous behavior and denial-of-service.

CWE-119:

  • Improper restriction of operations within the bounds of a memory buffer

CVE-2026-10816 - Score 7.1/10

Pre-Conditions

Access to either of the following IP addresses:

  • NSIP
  • SNIP, with management access enabled
  • Cluster IP, with maangement access enabled
Description

Arbitrary File Read (Unauthenticated)

CWE-73:

  • External control of file name or path

CVE-2026-10817 - Score 6.9/10

Pre-Conditions

TCP timestamp enabled in TCP Profile, AND associated with a virtual server of type (LB, CS, VPN), or the service configured on NetScaler

Description

CWE-125:

  • Out-of-bounds read

CVE-2026-13474 - Score 8.7/10

Pre-Conditions

HTTP/2 enabled in HTTP profile AND associated with a virtual server of type (LB, CS, VPN) or the service configured on NetScaler

Description

Denial-of-service via malformed HTTP/2 requests

CWE-401:

  • Missing release of memory after effective lifetime