Citrix NetScaler Patches Six Vulnerabilities, Including New 'HTTP/2 Bomb' DoS Flaw
Citrix has released security updates for its NetScaler ADC and Gateway products, addressing six vulnerabilities, notably a new denial-of-service flaw dubbed 'HTTP/2 Bomb' and a critical information disclosure bug.

Citrix has issued critical security patches for its NetScaler ADC and NetScaler Gateway products, resolving six vulnerabilities that could pose significant risks to organizations. Among the patched flaws is a newly identified denial-of-service (DoS) vulnerability, creatively named 'HTTP/2 Bomb,' which targets the HTTP/2 protocol.
The update addresses a total of six security issues. Four of these are high-severity vulnerabilities, including out-of-bounds read, memory overflow, and arbitrary file read bugs, tracked under CVE identifiers CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, and CVE-2026-10816. An additional medium-severity out-of-bounds read vulnerability is also resolved.
The 'HTTP/2 Bomb' vulnerability, assigned its own NetScaler-specific CVE identifier CVE-2026-13474, is a denial-of-service exploit that leverages known attack techniques to overwhelm and disable web servers. This particular flaw was discovered using OpenAI's Codex, highlighting the evolving landscape of vulnerability discovery.
Citrix has released fixes in NetScaler ADC and NetScaler Gateway versions 14.1-72.61 and 13.1-63.18. Specific FIPS and NDcPP versions also received updates. The company advises customers to evaluate their specific configurations, as each vulnerability has distinct preconditions for exploitation, and not all deployments may be affected.
Security researchers from watchTowr have drawn particular attention to CVE-2026-8451, a high-severity flaw (CVSS 8.8) that they classify as the latest in the "CitrixBleed" series. This vulnerability affects NetScaler's XML parser, potentially allowing an attacker to read restricted memory in an HTTP response. Successful exploitation requires specific configurations, including the NetScaler instance being set up as a SAML IDP and the attacker's login request meeting certain criteria.
Exploitation of CVE-2026-8451 could lead to data leakage from a vulnerable appliance. When combined with a memory corruption issue, this could escalate to a full device compromise. Organizations managing their own NetScaler ADC, NetScaler Gateway, and Citrix Secure Private Access Hybrid deployments are strongly urged to apply these patches immediately.
The prompt patching of these vulnerabilities is crucial, especially given the history of severe exploitation of previous NetScaler flaws, such as CitrixBleed. Proactive security measures are essential to protect sensitive data and maintain the integrity of network infrastructure.