Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XCitrix Netscaler Application Delivery Controller
APPCitrix13.1 – 13.1-37.262 (bez)13.1 – 13.1-62.23 (bez)14.1 – 14.1-60.58 (bez)Citrix Netscaler Gateway
APPCitrix13.1 – 13.1-62.23 (bez)14.1 – 14.1-60.58 (bez)
CISA KEV — detailsi
- Vendori
- Citrix ↗
- Producti
- NetScaler
- Added to KEVi
- March 30, 2026
- Remediation deadline (US Federal)i
- April 2, 2026(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability when configured as a SAML IDP leading to memory overread.
Related vulnerabilities
Przepełnienie pamięci w Citrix NetScaler ADC i Gateway — RCE/DoS
Przepełnienie pamięci w Citrix NetScaler ADC i Gateway – RCE/DoS przez VPN
CitrixBleed 2 — memory overread w Citrix NetScaler ADC i Gateway
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virt...
Unauthenticated remote code execution