Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
perimeter-device-exposurewidely-deployed-product-advisoryidentity-authentication-vulnerabilityinternet-facing-service-vulnerability

Citrix NetScaler Flaws Expose ADC and Gateway to Remote DoS and Memory Errors

Updated 6h agoFirst seen Jun 30, 20268 sources

Citrix published a security advisory for NetScaler ADC and NetScaler Gateway, warning that multiple high-severity vulnerabilities can be exploited remotely in specific deployments and configurations. The advisory, highlighted by the Canadian Centre for Cyber Security, affects the 14.1 and 13.1 release lines as well as certain NetScaler FIPS and NDcPP editions, and references six CVEs including CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, and CVE-2026-13474. Administrators were urged to review Citrix’s bulletin and move affected systems to fixed versions.

The disclosed flaws include a malformed HTTP/2 request issue that can trigger denial of service when HTTP/2 is enabled on affected LB, CS, VPN virtual servers or services (CVE-2026-13474); multiple memory overflow vulnerabilities tied to Oracle load balancer, DNS proxy, and DNS recursive resolver deployments (CVE-2026-8655); a memory overread caused by insufficient input validation when NetScaler is configured as a SAML Identity Provider (CVE-2026-8451); and a separate memory overflow vulnerability affecting Gateway or AAA virtual servers, including SSL VPN, ICA Proxy, CVPN, and RDP Proxy deployments (CVE-2026-8452). Recommended mitigations include applying Citrix security updates, disabling HTTP/2 or vulnerable Gateway features where not required, reviewing exposed virtual server and HTTP profile configurations, and monitoring for anomalous behavior.

Share:
Citrix NetScaler Flaws Expose ADC and Gateway to Remote DoS and Memory Errors
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

7 events from the most recent confirmed update back to the earliest known activity.

7 EVENTS
Jun 30, 20262d ago

Canadian Cyber Centre urges NetScaler administrators to update

On 2026-06-30, the Canadian Centre for Cyber Security published alert AV26-645 highlighting Citrix's NetScaler advisory and urging users and administrators to review the bulletin and apply the necessary updates. It noted that affected products remain vulnerable until updated to the fixed versions.

Citrix security advisory (AV26-645) - Canadian Centre for Cyber Security

Citrix adds manual mitigation guidance for CVE-2026-13474

Citrix said some deployments affected by CVE-2026-13474 require not only upgrading to fixed NetScaler versions but also manually configuring Http2SmallWndTimeout to fully address the HTTP/2 denial-of-service issue. The company also stated it had no evidence of in-the-wild exploitation at the time of disclosure.

Citrix Patches Six NetScaler Flaws Allowing File Read and Denial-of-Service

CVE-2026-13474 disclosed for malformed HTTP/2 request DoS

CVE-2026-13474 was disclosed as a high-severity denial-of-service vulnerability affecting NetScaler ADC and NetScaler Gateway when HTTP/2 is enabled in an HTTP Profile tied to certain virtual servers or services. The issue can be triggered remotely through malformed HTTP/2 requests.

CVE-2026-13474 - Denial of service via malformed HTTP/2 requests

CVE-2026-8655 disclosed for Oracle and DNS NetScaler roles

CVE-2026-8655 was disclosed as multiple memory overflow vulnerabilities in NetScaler ADC and NetScaler Gateway that can lead to erroneous behavior and denial of service. Exploitation is possible when NetScaler ADC is configured as an Oracle load balancer, DNS proxy, or DNS recursive resolver.

CVE-2026-8655 - Multiple Memory overflow vulnerabilities leading to unpredictable or erroneous behavior and Denial of Service

CVE-2026-8452 disclosed for NetScaler Gateway and AAA servers

CVE-2026-8452 was disclosed as a high-severity memory overflow vulnerability in NetScaler ADC and NetScaler Gateway affecting Gateway or AAA virtual server deployments, including SSL VPN, ICA Proxy, CVPN, and RDP Proxy. The flaw can cause unpredictable behavior or denial of service and is described as remotely exploitable.

CVE-2026-8452 - Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial of Service

CVE-2026-8451 disclosed for NetScaler SAML IDP deployments

CVE-2026-8451 was disclosed as a high-severity insufficient input validation flaw that can cause memory overread in NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider. The issue is described as remotely exploitable and vendor fixes were recommended.

CVE-2026-8451 - Insufficient input validation leading to memory overread

Citrix publishes NetScaler advisory covering six CVEs

On 2026-06-30, Citrix published a security advisory for NetScaler ADC, NetScaler Gateway, and certain NetScaler FIPS and NDcPP editions. The advisory covered affected 14.1 and 13.1 release lines and referenced CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, and CVE-2026-13474, with updates identified as the remediation.

Citrix security advisory (AV26-645) - Canadian Centre for Cyber Security
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.