Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: citrixbleed (1 article)Clear

Citrix patches six NetScaler flaws, including a CitrixBleed-style memory leak

Citrix has released fixes for six vulnerabilities in NetScaler ADC and NetScaler Gateway, including a high-severity memory-disclosure flaw that researchers place in the same class as the 2023 CitrixBleed bug. That flaw (CVE-2026-8451, rated 8.8) leaks small amounts of memory through malformed SAML requests and shares a root cause with an earlier NetScaler bug that was exploited within days of disclosure. The bulletin also covers an unauthenticated arbitrary file read and several denial-of-service issues, with CVSS scores from 6.9 to 8.8. No exploitation has been reported yet, but NetScaler appliances have drawn more than 20 entries on CISA's exploited-vulnerabilities list in three years, several used in ransomware.

Check
Inventory NetScaler ADC and Gateway appliances and their configurations, checking whether they run as SAML identity providers, expose management IPs, or use HTTP/2, and confirm which builds they are on.
Affected
NetScaler ADC and Gateway appliances on affected builds (CVE-2026-8451 and five others); SAML identity-provider setups risk memory disclosure, and other configurations face arbitrary file read or denial of service.
Fix
Update to NetScaler ADC and Gateway 14.1-72.61 or later fixed builds, and for the HTTP/2 denial-of-service flaw, manually set the Http2SmallWndTimeout parameter, since patching alone does not fully close it.