Skip to content

Citrix NetScaler CVE-2026-8451 memory overread

Summary

CVE-2026-8451 is a Citrix NetScaler ADC / NetScaler Gateway pre-authentication memory-overread vulnerability disclosed and patched on June 30, 2026. Citrix describes the flaw as insufficient input validation leading to memory overread; watchTowr Labs' public analysis places it in the recurring CitrixBleed class of NetScaler memory-disclosure bugs.

The exposed path matters most for NetScaler appliances configured as a SAML identity provider. watchTowr showed that malformed SAML authentication input can leak process memory and that simple malformed requests can crash the nsppe process, creating both session-secret exposure risk and availability risk on internet-facing remote-access infrastructure.

Tags

Why this matters

  • NetScaler Gateway is commonly deployed as an internet-facing remote-access front door; memory disclosure at this layer can expose authentication or session material even when exploitation does not immediately provide code execution.
  • The affected configuration is narrower than all NetScaler deployments: watchTowr and Citrix state that exploitation requires the appliance to be configured as a SAML IdP.
  • The bug joins a repeated NetScaler memory-disclosure pattern. Prior CitrixBleed-class issues have been operationally important because defenders must treat edge-appliance exposure as a credential/session incident, not only as a patching event.
  • watchTowr published a detection artifact generator and enough technical detail for defenders and researchers to validate exposure. Public validation tooling increases urgency for exposed appliances.
  • The proof impact includes process crash behavior against nsppe, so unpatched SAML IdP deployments also carry service-disruption risk.

Public vulnerability detail

  • Disclosure / patch date: 2026-06-30.
  • Research publication: watchTowr Labs, 2026-06-30.
  • CVE: CVE-2026-8451.
  • Vendor description: insufficient input validation leading to memory overread.
  • CVSS noted by watchTowr: 8.8.
  • Exploitability condition: NetScaler appliance configured as a SAML IdP.
  • Affected versions named by Citrix / watchTowr:
  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-72.61;
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-63.18;
  • NetScaler ADC FIPS before 14.1-72.61 FIPS;
  • NetScaler ADC FIPS and NDcPP before 13.1-37.272.
  • Observed target surface in public analysis: SAML authentication handling, including /saml/login request processing and SAML AuthnRequest parsing.
  • Process / log pivots: nsppe crashes and NetScaler logs such as /var/log/ns.log around malformed SAML requests.

Defender heuristics

  1. Inventory NetScaler ADC / Gateway assets that are internet-facing or reachable from partner / remote-access networks. Mark which are configured as SAML IdPs.
  2. Patch affected branches to Citrix's fixed builds or later: 14.1-72.61, 13.1-63.18, 14.1-72.61 FIPS, or 13.1-37.272 for FIPS / NDcPP as applicable.
  3. If patching is delayed, reduce exposure for SAML IdP endpoints and place compensating controls in front of /saml/login while validating that the control does not break required authentication flows.
  4. Review NetScaler and upstream logs for anomalous SAML requests, unusual malformed SAMLRequest parameters, bursts of failed SAML authentication processing, and nsppe restarts or crashes.
  5. Treat credible exploitation as possible session-secret exposure. Invalidate NetScaler sessions, rotate SAML signing/encryption material if exposure is plausible, and review downstream identity-provider / service-provider logs for session replay or unusual assertions.
  6. Preserve appliance logs and configuration before disruptive remediation. Edge appliances often have short log retention and limited endpoint telemetry, so capture evidence before rebuilds or failovers.
  7. Fold this into a broader CitrixBleed runbook: patch validation, SAML configuration review, session invalidation, account anomaly review, source-IP clustering, and downstream lateral-movement checks from remote-access address pools.

Sources

  • watchTowr Labs: https://labs.watchtowr.com/citrixbleed-to-infinity-and-beyond-citrix-netscaler-pre-auth-memory-overread-cve-2026-8451/
  • Citrix advisory CTX696604: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604