Citrix on Tuesday announced fresh NetScaler ADC and NetScaler Gateway security updates that resolve six vulnerabilities, including the recent HTTP/2 Bomb flaw.
Four of the issues, tracked as CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, and CVE-2026-10816, are high-severity out-of-bounds read, memory overflow, and arbitrary file read bugs.
Tracked as CVE-2026-10816, the fifth is a medium-severity out-of-bounds read, while the sixth is HTTP/2 Bomb, a denial-of-service (DoS) exploit targeting Apache HTTP Server.
Tracked as CVE-2026-49975 and discovered using OpenAI’s Codex, HTTP/2 Bomb combines previously known attack techniques to knock web servers offline. Citrix assigned it a separate NetScaler-specific CVE identifier, CVE-2026-13474.
All these weaknesses were addressed in NetScaler ADC and NetScaler Gateway versions 14.1-72.61 and 13.1-63.18, NetScaler ADC FIPS version 14.1-72.61 FIPS, and in NetScaler ADC FIPS and NDcPP version 13.1-37.272.
Citrix points out that each vulnerability has different configuration-specific preconditions and that customers should evaluate if their deployments have the vulnerable features enabled.
According to attack surface management firm watchTowr, Citrix customers should pay attention to CVE-2026-8451 (CVSS score of 8.8), saying it is the latest in the CitrixBleed series of security defects.
The company explains that the bug impacts NetScaler’s XML parser, which reads beyond the intended bounds of each XML attribute value, and that NetScaler can be tricked into returning restricted memory in an HTTP response.
The successful exploitation of the vulnerability, however, requires that the NetScaler instance is configured as SAML IDP, and that the attacker’s login request satisfies specific conditions.
According to watchTowr, an attacker could exploit this security defect to leak data from a vulnerable appliance, including a data pointer that, when combined with a memory corruption issue, could lead to full device compromise.
Organizations with self-managed NetScaler ADC, NetScaler Gateway, and Citrix Secure Private Access Hybrid deployments using NetScaler instances are advised to apply the fresh patches as soon as possible.
Related: Google Patches 382 Chrome Vulnerabilities
Related: Decades-Old Bash Tricks Expose AI Coding Agents to Supply Chain Attacks
Related: Exploitation of Recent Oracle E-Business Suite Vulnerability Begins
Related: Critical SimpleHelp Vulnerability Exploited for Malware Delivery

