Key Takeaway
CVE-2026-3055 is an unauthenticated out-of-bounds read vulnerability in Citrix NetScaler ADC, NetScaler Gateway, and their FIPS/NDcPP variants when configured as a SAML Identity Provider, enabling remote attackers to read adjacent memory regions and potentially expose session tokens, credentials, and cryptographic material. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog with a federal agency patch deadline of April 2, 2026. Organizations should apply Citrix patches immediately, restrict access to SAML IDP endpoints, and monitor authentication logs for exploitation indicators.
CVE-2026-3055: Citrix NetScaler Out-of-Bounds Read Exposes Memory in SAML IDP Configurations
CVE ID: CVE-2026-3055 Vendor: Citrix Affected Products: NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway), NetScaler ADC FIPS, NetScaler ADC NDcPP Vulnerability Type: Out-of-Bounds Read (CWE-125) CISA KEV Patch Deadline: April 2, 2026
Vulnerability Details
CVE-2026-3055 is an out-of-bounds read vulnerability present in Citrix NetScaler ADC, NetScaler Gateway, and the FIPS and NDcPP variants of NetScaler ADC. The flaw manifests specifically when the affected appliance is configured to operate as a SAML Identity Provider (IDP).
The vulnerability permits an attacker to trigger a memory overread condition — reading data from memory regions beyond the intended buffer boundary. Out-of-bounds reads in network-facing components like NetScaler are particularly dangerous because the affected service processes external input before authentication completes, meaning the attack surface is exposed without requiring valid credentials.
The attack vector is network-accessible. An unauthenticated remote attacker can send a crafted request targeting the SAML IDP processing logic, causing the appliance to read and potentially return memory contents outside the allocated buffer. This behavior can expose contents of adjacent memory regions to the attacker.
Real-World Impact
NetScaler appliances serving as SAML IDPs sit at the authentication perimeter of enterprise environments. They process identity assertions, manage session tokens, and handle credential flows for SSO-enabled applications. An out-of-bounds read in this component can expose:
- Active session tokens
- Cryptographic key material
- Credential fragments processed during authentication flows
- Internal application state and configuration data resident in memory
Data exposure of this nature enables session hijacking, lateral movement through authenticated SSO-connected applications, and reconnaissance against the broader identity infrastructure. Organizations using NetScaler as a SAML IDP for cloud applications, VPN access, or internal SSO portals face direct risk of credential and session material leakage.
Citrix NetScaler appliances have been targeted repeatedly in prior campaigns. Threat groups exploited CVE-2023-3519 (Citrix Bleed) and CVE-2023-4966 at scale, with nation-state and ransomware operators both conducting mass exploitation shortly after disclosure. CVE-2026-3055 follows a similar pattern — a memory-disclosure flaw in a network-facing authentication component that requires no credentials to exploit.
CISA has added CVE-2026-3055 to the Known Exploited Vulnerabilities (KEV) catalog and mandates that all U.S. federal civilian executive branch (FCEB) agencies apply patches by April 2, 2026.
Affected Configurations
Only NetScaler instances configured as a SAML IDP are confirmed vulnerable under this CVE. Deployments operating solely as SAML Service Providers (SP) or in non-SAML configurations are outside the documented scope of this vulnerability. However, organizations should audit their configurations carefully, as multi-role deployments are common.
Use Citrix's configuration audit tools or query the appliance's running configuration to confirm whether SAML IDP is enabled:
show saml idpProfile
Any output confirming an active IDP profile means the appliance is within the vulnerable scope.
Patching and Mitigation Guidance
1. Apply Citrix Security Patches Immediately Citrix has released or is releasing security updates addressing CVE-2026-3055. Consult the official Citrix Security Bulletin for affected version ranges and the corresponding fixed builds. Prioritize appliances directly reachable from the internet or from untrusted network segments.
2. Restrict Access to SAML Endpoints Until patching is complete, restrict network access to SAML IDP endpoints using perimeter firewall rules. Limit inbound connections to known, trusted IP ranges for SAML consumers. Deploy Web Application Firewall (WAF) policies to inspect and block malformed SAML requests targeting the IDP interface.
3. Audit Exposed Instances Conduct network discovery to identify all NetScaler appliances in the environment. Cross-reference each with its running configuration to determine SAML IDP status. Maintain a current inventory — shadow or forgotten appliances represent unpatched attack surface.
4. Monitor SAML Authentication Logs Enable verbose logging on SAML IDP endpoints. Look for malformed or oversized SAML requests, repeated authentication failures from single source IPs, and anomalous timing patterns that indicate automated scanning or exploitation attempts. Forward logs to your SIEM for correlation against known exploitation indicators.
5. Rotate Session Material Post-Patch After patching, rotate session tokens and review any cryptographic keys or secrets that may have resided in memory on affected appliances during the exposure window. Assume that internet-facing SAML IDP instances with no access controls in place may have been probed prior to patch availability.
Summary Table
| Field | Detail | |---|---| | CVE | CVE-2026-3055 | | Vendor | Citrix | | Products | NetScaler ADC, NetScaler Gateway, NetScaler ADC FIPS/NDcPP | | Flaw Type | Out-of-Bounds Read (CWE-125) | | Attack Vector | Network, Unauthenticated | | Condition | SAML IDP configuration required | | KEV Deadline | April 2, 2026 |
Organizations running Citrix NetScaler in SAML IDP mode should treat this vulnerability as high priority. Patch, restrict, and monitor — in that order.
Original Source
CISA KEV
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.
CVE-2026-20093: Critical Cisco IMC Authentication Bypass Carries CVSS 9.8
Cisco has patched CVE-2026-20093, a critical authentication bypass vulnerability in the Cisco Integrated Management Controller (IMC) with a CVSS score of 9.8. An unauthenticated remote attacker can exploit the flaw to bypass authentication and gain elevated privileges over affected hardware management interfaces. Administrators should apply Cisco's patch immediately and restrict IMC network access to isolated management VLANs.