Citrix NetScaler Flaws Expose ADC and Gateway to Remote DoS and Memory Errors
Citrix published a security advisory for NetScaler ADC and NetScaler Gateway, warning that multiple high-severity vulnerabilities can be exploited remotely in specific deployments and configurations. The advisory, highlighted by the Canadian Centre for Cyber Security, affects the 14.1 and 13.1 release lines as well as certain NetScaler FIPS and NDcPP editions, and references six CVEs including CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, and CVE-2026-13474. Administrators were urged to review Citrix’s bulletin and move affected systems to fixed versions.
The disclosed flaws include a malformed HTTP/2 request issue that can trigger denial of service when HTTP/2 is enabled on affected LB, CS, VPN virtual servers or services (CVE-2026-13474); multiple memory overflow vulnerabilities tied to Oracle load balancer, DNS proxy, and DNS recursive resolver deployments (CVE-2026-8655); a memory overread caused by insufficient input validation when NetScaler is configured as a SAML Identity Provider (CVE-2026-8451); and a separate memory overflow vulnerability affecting Gateway or AAA virtual servers, including SSL VPN, ICA Proxy, CVPN, and RDP Proxy deployments (CVE-2026-8452). Recommended mitigations include applying Citrix security updates, disabling HTTP/2 or vulnerable Gateway features where not required, reviewing exposed virtual server and HTTP profile configurations, and monitoring for anomalous behavior.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Canadian Cyber Centre urges NetScaler administrators to update
On 2026-06-30, the Canadian Centre for Cyber Security published alert AV26-645 highlighting Citrix's NetScaler advisory and urging users and administrators to review the bulletin and apply the necessary updates. It noted that affected products remain vulnerable until updated to the fixed versions.
Citrix adds manual mitigation guidance for CVE-2026-13474
Citrix said some deployments affected by CVE-2026-13474 require not only upgrading to fixed NetScaler versions but also manually configuring Http2SmallWndTimeout to fully address the HTTP/2 denial-of-service issue. The company also stated it had no evidence of in-the-wild exploitation at the time of disclosure.
CVE-2026-13474 disclosed for malformed HTTP/2 request DoS
CVE-2026-13474 was disclosed as a high-severity denial-of-service vulnerability affecting NetScaler ADC and NetScaler Gateway when HTTP/2 is enabled in an HTTP Profile tied to certain virtual servers or services. The issue can be triggered remotely through malformed HTTP/2 requests.
CVE-2026-8655 disclosed for Oracle and DNS NetScaler roles
CVE-2026-8655 was disclosed as multiple memory overflow vulnerabilities in NetScaler ADC and NetScaler Gateway that can lead to erroneous behavior and denial of service. Exploitation is possible when NetScaler ADC is configured as an Oracle load balancer, DNS proxy, or DNS recursive resolver.
CVE-2026-8452 disclosed for NetScaler Gateway and AAA servers
CVE-2026-8452 was disclosed as a high-severity memory overflow vulnerability in NetScaler ADC and NetScaler Gateway affecting Gateway or AAA virtual server deployments, including SSL VPN, ICA Proxy, CVPN, and RDP Proxy. The flaw can cause unpredictable behavior or denial of service and is described as remotely exploitable.
CVE-2026-8451 disclosed for NetScaler SAML IDP deployments
CVE-2026-8451 was disclosed as a high-severity insufficient input validation flaw that can cause memory overread in NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider. The issue is described as remotely exploitable and vendor fixes were recommended.
Citrix publishes NetScaler advisory covering six CVEs
On 2026-06-30, Citrix published a security advisory for NetScaler ADC, NetScaler Gateway, and certain NetScaler FIPS and NDcPP editions. The advisory covered affected 14.1 and 13.1 release lines and referenced CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, and CVE-2026-13474, with updates identified as the remediation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Citrix Patches Six NetScaler Flaws Allowing File Read and Denial-of-Service
thehackernews.com
Open sourceCitrix patches a new NetScaler flaw with echoes of CitrixBleed | CyberScoop
cyberscoop.com
Open sourceCitrix security advisory (AV26-645) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-8452 - Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial of Service
cvefeed.io
Open sourceCVE-2026-13474 - Denial of service via malformed HTTP/2 requests
cvefeed.io
Open sourceCVE-2026-8451 - Insufficient input validation leading to memory overread
cvefeed.io
Open sourceMultiple High-Severity Vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway (CVE-2026-8451)
labs.beazley.security
Open sourceCVE-2026-8655 - Multiple Memory overflow vulnerabilities leading to unpredictable or erroneous behavior and Denial of Service
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


