Critical security vulnerability in Citrix Gateway and Netscaler ADC

The manufacturer "Cloud Software Group" has fixed two security vulnerabilities in the Citrix products "Netscaler ADC" (Application Delivery Controller) and "Gateway", one of them with a critical rating. The errors were noticed during an internal review, and updates have already been released. Citrix customers should quickly check if they are affected and update their appliances.

The two security vulnerabilities in detail:

• CVE-2026-3055: Insufficient input validation leads to overly long memory read access (CVSS v4 9.3/10, critical)
• CVE-2026-4368: A race condition can lead to the swapping of user sessions (CVSS v4 7.7/10, high)

Is CitrixBleed 4 looming?

The discerning reader of the Citrix security advisory must search for details with a magnifying glass, but some details are reminiscent of the fatal security vulnerability CitrixBleed 2 from 2025. This also consisted of a memory leak that remote attackers could exploit to intercept access tokens. In conjunction with the now additionally reported race condition, they could use this specifically to take over certain user accounts.

Admins should quickly update to the updated versions:

• NetScaler ADC and NetScaler Gateway 14.1-66.59 or newer,
• NetScaler ADC and NetScaler Gateway 13.1-62.23 or newer releases from the 13.1 version tree,
• For FIPS-certified instances, the errors are fixed in NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 as well as newer versions of 13.1-FIPS and 13.1-NDcPP.

(cku)