Citrix NetScaler CVE-2026-3055: Another Memory Overread Vulnerability Raises Concerns About Recurring Pattern
Citrix disclosed CVE-2026-3055, a critical memory overread vulnerability in NetScaler ADC and Gateway, with watchTowr Labs warning of a troubling pattern of similar flaws.
Citrix has disclosed CVE-2026-3055, a memory overread vulnerability in NetScaler ADC and NetScaler Gateway that carries a CVSS 4.0 score of 9.3. The flaw affects versions prior to 14.1-26.x and is exploitable when the appliance is configured as a SAML identity provider (IdP). Citrix discovered the vulnerability internally and has released patches for affected versions, including 14.1-60.58, 14.1-66.59, and 13.1-62.23.
watchTowr Labs, which analyzed the vulnerability, noted that CVE-2026-3055 is structurally reminiscent of prior memory leak flaws such as CitrixBleed and CitrixBleed2. These earlier vulnerabilities allowed attackers to leak memory and hijack remote access sessions, leading to widespread exploitation. The recurrence of similar issues has raised concerns about the fragility of memory management in NetScaler appliances, which serve as critical remote-access and load-balancing infrastructure for many large enterprises.
The vulnerability is triggered by insufficient input validation in SAML IdP processing, leading to a memory overread. An attacker could exploit this to leak sensitive memory contents, potentially including session tokens or other authentication data. Citrix recommends upgrading to patched versions immediately. watchTowr confirmed the flaw on versions 14.1-43.50 and 14.1-66.54, while 14.1-66.59 is patched.
In addition to analyzing CVE-2026-3055, watchTowr reported discovering additional memory-overread vulnerabilities with similar prerequisites, related to clustering configurations. These have been responsibly disclosed to Citrix's PSIRT team and are not yet public. The findings underscore a broader pattern of memory management issues in NetScaler, which watchTowr had previously warned about after CitrixBleed2.
The impact of CVE-2026-3055 is significant given the widespread deployment of NetScaler appliances in enterprise networks. Organizations using NetScaler as a SAML IdP are at heightened risk and should prioritize patching. The vulnerability has not been reported as exploited in the wild as of publication, but the similarity to previous flaws that were actively exploited suggests that attackers may quickly develop exploits.
This latest disclosure continues a troubling trend for Citrix NetScaler, where memory safety issues have repeatedly surfaced despite prior warnings. The company has addressed the immediate vulnerability, but the underlying pattern suggests that more robust memory management practices are needed. For now, administrators should apply patches and consider whether SAML IdP functionality on NetScaler is necessary, given the associated risks.