Citrix NetScaler CVE-2026-3055 Covers Two Memory Overread Flaws; Exploitation Observed in the Wild
watchTowr Labs reveals that CVE-2026-3055 actually covers at least two memory overread vulnerabilities in Citrix NetScaler, with exploitation in the wild observed since March 27th.
watchTowr Labs has disclosed that CVE-2026-3055, assigned to Citrix NetScaler, actually covers at least two distinct memory overread vulnerabilities. The second vulnerability affects the `/wsfed/passive` endpoint and is triggered by a `wctx` parameter without a value, causing memory leak via the `NSC_TASS` cookie. Exploitation in the wild has been observed since March 27th, with evidence from the researchers' honeypot network showing exploitation from known threat actor source IPs.
The newly disclosed vulnerability, dubbed Part 2, is triggered by a simple GET request: `GET /wsfed/passive?wctx HTTP/1.1`. The `wctx` querystring parameter must be present but lacks the `=` sign and any value. An unpatched Citrix NetScaler will mistakenly check only for the parameter's presence before accessing the buffer associated with the variable, rather than checking for associated data. Since there is no actual value, it points to dead memory, leaking kilobytes of memory base64-encoded in the `NSC_TASS` cookie.
This vulnerability works consistently and discloses significant amounts of memory, making it more dangerous than the first vulnerability patched under the same CVE. The prerequisites for exploitation remain the same: Citrix advises that the vulnerability is only exploitable if the appliance is configured as a SAML IDP, a configuration the researchers deem ill-suited for this class of network device.
In-the-wild exploitation has begun, with evidence from the watchTowr honeypot network showing exploitation from known threat actor source IPs as of March 27th. This is an impressive turnaround time for a vulnerability Citrix identified internally, highlighting the urgency for organizations to patch.
watchTowr Labs also identified a further instance of memory management issues during their analysis and have reported it to Citrix. The researchers expressed concern over the state of memory management on critical appliances, noting that the vulnerability behaves similarly to the previously disclosed CitrixBleed2.
Citrix has released patches for CVE-2026-3055, but organizations using Citrix NetScaler as a SAML IDP should prioritize applying the update immediately. The disclosure underscores the importance of thorough vulnerability analysis and the risks of assigning a single CVE ID to multiple distinct flaws.