Home Latest Cyber Security News | Network Security HackingNetScaler Memory Overread Flaw Revives CitrixBleed Fears

NetScaler Memory Overread Flaw Revives CitrixBleed Fears

by Rebecca Sutton
Fibre patch panel cabling in a data centre, the kind of network gear exposed by the NetScaler memory overread flaw

Citrix has patched a NetScaler memory overread bug that lets an attacker
pull raw process memory out of an appliance with one malformed request. No
password is needed. The flaw, tracked as CVE-2026-8451, carries a CVSS score
of 8.8. It sits in the same broken XML parser family that produced the
original CitrixBleed disaster back in 2023. Researchers who found it say the
pattern looks like a habit, not an accident.

The NetScaler memory overread bug, explained

CVE-2026-8451 hits NetScaler ADC and NetScaler Gateway appliances running
as a SAML identity provider. That is a common setup for single sign-on into
internal apps. Vulnerable versions are 14.1 before 14.1-72.61 and 13.1 before
13.1-63.18, plus the matching FIPS and NDcPP builds. Citrix fixed it, along
with five other bugs, in builds published on 30 June 2026.

Researchers at watchTowr Labs get the credit for finding it. They traced
the bug to NetScaler’s own XML parser, built in-house instead of using a
tested library. The parser reads a SAML AuthnRequest at the
/saml/login endpoint. It should stop reading an unquoted
attribute value at the first space. In practice, it does not. The parser
only stops at a null byte or the next > character, so an
attribute that never closes keeps it reading. It walks straight past the
edge of the buffer it should have stopped at.

Why this feels like CitrixBleed all over again

The leaked bytes come back inside the NSC_TASS response
cookie. In tests, researchers pulled out binary data, filler patterns, and
what looked like live memory pointers. A second, simpler payload can crash
the appliance’s nsppe process outright. So the same bug doubles
as a denial-of-service switch for anyone who just wants NetScaler offline.

The original CitrixBleed, CVE-2023-4966, leaked whole session tokens out
of NetScaler memory in 2023. Attackers exploited it within weeks, hijacking
live sessions with no password and no multi-factor prompt. This new bug
leaks less per request, a handful of bytes rather than kilobytes. But the
root cause has not moved an inch: Citrix is still parsing untrusted input
with code that was never hardened for it. watchTowr researcher Aliz Hammond
said memory management “continues to appear fragile within Citrix NetScaler
appliances.” That is a polite way of saying the same mistake keeps coming
back.

How long Citrix sat on the fix

watchTowr reported the bug to Citrix on 28 March 2026. Hammond had found
it while reproducing an entirely separate NetScaler flaw disclosed earlier in
the year. Citrix confirmed on 7 May that a fix was in development. The vendor
told researchers to expect publication on 29 June, then slipped a day to 30
June. Three months between report and patch is not unusual for an appliance
vendor coordinating a fix across multiple supported branches. But it does
mean the bug sat unpatched, known to at least one outside party, for most of
that window.

A crowded bulletin, and an unusual name on it

The 30 June bulletin actually closed six bugs at once: CVE-2026-8451,
CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817 and
CVE-2026-13474. Three of the six share that 8.8 severity score. Citrix
credited three separate researchers in the disclosure. One name stands
out: Michael Tucker of JPMorgan Chase’s internal security team, working
alongside Hammond and researcher Maxim Suhanov. A major bank appearing by
name in a Citrix bulletin is a first. It shows how seriously large NetScaler
operators now audit their own edge infrastructure. They are not waiting for
outside researchers to find the next bug for them.

What NetScaler admins should do now

The NetScaler memory overread flaw has not yet triggered any confirmed
attacks that Citrix or outside researchers have flagged. Citrix’s advisory
lists no evidence of active exploitation at disclosure.
CVE-2026-8451 had not appeared in CISA’s Known Exploited Vulnerabilities
catalog as this article went to research. That is thin comfort, though, given
NetScaler’s record. The platform has racked up more than twenty KEV entries
in three years. Several of those bugs were weaponised for ransomware within
days of a patch landing. So many internet-facing appliances
stay unpatched for months after a fix ships, or stay
exposed in other ways even once they are updated.

Treat this as an urgent patch, not a routine one, if your NetScaler runs
as a SAML identity provider. Where an immediate update is not possible,
disable SAML IdP functionality, restrict management and login access behind
a firewall or VPN, and watch /saml/login traffic for malformed
requests. Those three steps buy time while the real fix gets scheduled and
tested. None of them replace the patch itself.

It is worth folding this appliance into your existing vulnerability
management programme. Do not treat NetScaler as a special case that only
gets attention when a new CVE makes headlines. Testing your incident response plan against
an identity-compromise scenario, not just a ransomware one, is a reasonable
follow-up given how directly this bug touches authentication.

You may also like

Leave a Comment