CVE-2026-3055

Citrix NetScaler ADC & Gateway — Memory Overread via Insufficient Input Validation (SAML IDP)
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 30, 2026 with a remediation deadline of April 2, 2026. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2026-3055 is a memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway. The flaw is caused by insufficient input validation when the appliance is configured as a SAML Identity Provider (IDP), leading to an out-of-bounds read (CWE-125) that discloses sensitive process memory — including session tokens and authentication credentials — to unauthenticated remote attackers. This vulnerability has been compared to "CitrixBleed" due to its similar exploitation pattern and devastating impact.

Active Exploitation & "CitrixBleed 3" Comparisons

This CVE was added to CISA KEV on March 30, 2026 — one week after publication on March 23 — with an unusually aggressive 3-day remediation deadline of April 2, 2026. This extremely short deadline signals the severity and urgency that CISA attributes to active exploitation.

In-the-wild exploitation confirmed. Security firm watchTowr Labs reported evidence of exploitation from known threat actor source IPs beginning March 27, 2026 — just 4 days after the advisory was published. Their honeypot network observed exploitation attempts targeting the /saml/login and /wsfed/passive endpoints.

Why This Is So Dangerous

  • Unauthenticated, remote exploitation: No credentials, no user interaction — just a single HTTP request can trigger memory disclosure.
  • Session token theft: Leaked memory contains active administrative session IDs, enabling full appliance takeover.
  • Multiple vulnerable endpoints: watchTowr Labs identified at least two distinct memory overread paths (/saml/login and /wsfed/passive?wctx) patched under this single CVE ID.
  • Historical pattern: This follows the same exploitation pattern as the original CitrixBleed (CVE-2023-4966) and CitrixBleed 2 (CVE-2025-5777), making this effectively "CitrixBleed 3".
  • Critical infrastructure exposure: NetScaler ADC and Gateway appliances sit at the network edge, providing VPN, load balancing, and authentication services for enterprise environments.

Vulnerability Description

Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread.

The root cause is an out-of-bounds read (CWE-125) triggered when specific SAML/WS-Federation endpoints process requests with missing or malformed parameter values. When a query string parameter (such as wctx) is present but has no associated value, the application checks only for the parameter's presence rather than verifying that valid data exists. It then accesses a buffer that points to uninitialized or freed memory, causing kilobytes of process memory to be disclosed to the attacker — base64-encoded in response cookies.

The leaked memory is highly dynamic and can contain active session tokens, authentication credentials, HTTP request data from other users, and internal configuration details. An attacker can repeatedly send requests to harvest different memory regions, eventually obtaining administrative session IDs that grant full control of the appliance.

Affected Products & Versions

This vulnerability affects customer-managed NetScaler ADC and NetScaler Gateway appliances configured as a SAML Identity Provider. Citrix-managed cloud services and Citrix-managed Adaptive Authentication are not affected (Cloud Software Group applies updates to those automatically).

NetScaler ADC & NetScaler Gateway

Product / BranchAffected Versions
NetScaler ADC & Gateway 14.1Before 14.1-60.58
NetScaler ADC & Gateway 13.1Before 13.1-62.23
NetScaler ADC 13.1-FIPSBefore 13.1-37.262
NetScaler ADC 13.1-NDcPPBefore 13.1-37.262

Vulnerable Endpoints

/saml/login /wsfed/passive?wctx

How to Check if You're Vulnerable

Check if your appliance is configured as a SAML IDP by inspecting your NetScaler configuration for:

add authentication samlIdPProfile .*

If this configuration exists and your firmware version is older than the patched versions listed above, your appliance is vulnerable.

Exploitation Details

Exploitation of this vulnerability is trivially simple. A single unauthenticated HTTP GET request is sufficient to trigger a memory disclosure:

Exploitation complexity is extremely low. No authentication, no special tools, and no user interaction is required. A standard HTTP client can exploit this vulnerability. Proof-of-concept code and detection tools have been publicly released by watchTowr Labs.

Attack Flow

  1. Attacker sends a crafted HTTP request to a vulnerable SAML/WS-Federation endpoint with a parameter present but missing its value.
  2. The NetScaler appliance reads beyond the intended buffer boundary (out-of-bounds read).
  3. Leaked process memory is returned to the attacker, base64-encoded in a response cookie (NSC_TASS).
  4. The attacker repeats the request to harvest different memory regions, looking for session tokens and credentials.
  5. Once an administrative session ID is captured, the attacker uses it to authenticate as an administrator — gaining full control of the appliance.

What Attackers Can Obtain

  • Administrative session IDs — full appliance takeover
  • User authentication tokens — impersonate legitimate users
  • HTTP request data from other sessions — including headers and cookies
  • Internal configuration details — network topology information
  • Memory heap data — potentially containing credentials and sensitive configuration

Impact

Impact AreaDetail
ConfidentialityHigh — Disclosure of session tokens, credentials, and sensitive memory contents
IntegrityHigh — Stolen sessions enable full administrative control and configuration changes
AvailabilityHigh — Attacker with admin access can disrupt all services behind the appliance
Attack VectorNetwork — remotely exploitable over the internet
Privileges RequiredNone — completely unauthenticated
User InteractionNone — no user action needed to trigger
Downstream Impact: NetScaler ADC and Gateway appliances often serve as the sole entry point for enterprise VPN, application delivery, and authentication. Compromising this device can give attackers access to the entire internal network behind it.

Mitigation & Remediation

CISA BOD 22-01 Deadline: April 2, 2026. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Patched Versions

BranchFixed Version
NetScaler ADC & Gateway 14.114.1-60.58 and later
NetScaler ADC & Gateway 14.1 (additional)14.1-66.59 and later
NetScaler ADC & Gateway 13.113.1-62.23 and later
NetScaler ADC 13.1-FIPS / NDcPP13.1-37.262 and later

Recommended Actions

  1. Upgrade immediately to one of the patched firmware versions listed above.
  2. Rotate all session tokens and credentials after patching — leaked sessions may still be active.
  3. Review access logs for suspicious requests to /saml/login and /wsfed/passive endpoints, particularly requests with parameters missing values.
  4. If patching is not immediately possible: consider temporarily disabling the SAML IDP configuration if operationally feasible, or restrict network access to the SAML endpoints.
  5. Monitor CISA KEV Catalog for any updated guidance.

Post-Patch Verification

A patched appliance responds differently. When sending the exploit request to a patched NetScaler, it returns a clean 302 redirect with no NSC_TASS cookie containing leaked memory. If your appliance still returns base64-encoded data in the NSC_TASS cookie after patching, the update may not have been applied correctly.

Key Details

PropertyValue
CVE ID CVE-2026-3055
Vendor / Product Citrix — NetScaler
NVD Published2026-03-23
NVD Last Modified2026-03-31
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-125
CISA KEV Added2026-03-30
CISA KEV Deadline2026-04-02
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-04-02. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2026-03-23CVE published on NVD; Citrix Security Bulletin CTX696300 released
2026-03-27watchTowr Labs observes in-the-wild exploitation from known threat actor IPs; Citrix updates advisory
2026-03-29watchTowr Labs publishes Part 2 analysis revealing second vulnerable endpoint (/wsfed/passive)
2026-03-30Added to CISA Known Exploited Vulnerabilities catalog
2026-03-31NVD record last modified
2026-04-02CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2026-3055 Vulnerability Database
CISA KEV Catalog Entry US Government
Citrix Security Bulletin CTX696300 Vendor Advisory
watchTowr Labs — CVE-2026-3055 Memory Overread Analysis (Part 1) Security Research
watchTowr Labs — CVE-2026-3055 Memory Overread Analysis (Part 2) Security Research

Last updated: 2026-04-06

Gavin Hollinger & AI assembled this air-gap friendly HTML