Overview
- Citrix released updates for NetScaler ADC and NetScaler Gateway that fix CVE-2026-3055, a critical memory leak, and CVE-2026-4368, a session-mixup race bug, with patches in 14.1-66.59, 13.1-62.23, and 13.1.37.262 (NDcPP).
- CVE-2026-3055 is an out-of-bounds read that can let an unauthenticated attacker pull sensitive data from appliance memory when the device runs as a SAML Identity Provider, a setup common in single sign-on.
- Admins can confirm exposure to CVE-2026-3055 by checking configurations for the line "add authentication samlIdPProfile .*", which does not appear in default builds.
- CVE-2026-4368 can cause one user's session to appear to another user on gateways or AAA virtual servers, and admins can spot such setups with "add vpn vserver .*" or "add authentication vserver .*".
- Citrix, Rapid7, and others report no in-the-wild attacks or public proof-of-concept yet, yet they warn fast weaponization is likely given past CitrixBleed exploits and advise urgent patching and tighter network access to exposed devices.