î „Ravie Lakshmananî ‚Jul 01, 2026Vulnerability / Enterprise Security

Citrix on Tuesday released security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition.

The vulnerabilities are listed below –

  • CVE-2026-8451 (CVSS score: 8.8) – An insufficient input validation vulnerability leading to memory overread when NetScaler ADC or NetScaler Gateway is configured as a SAML IDP
  • CVE-2026-8452 (CVSS score: 8.8) – A memory overflow vulnerability leading to unpredictable or erroneous behavior and denial-of-service when the appliance is configured as a Gateway or an AAA virtual server
  • CVE-2026-8655 (CVSS score: 8.8) – Multiple memory overflow vulnerabilities leading to unpredictable or erroneous behavior and denial-of-service when NetScaler ADC is configured as an LB of type Oracle, a DNS Proxy, or a DNS recursive resolver deployment
  • CVE-2026-10816 (CVSS score: 7.7) – An external control of the file name of the path vulnerability leading to unauthenticated, arbitrary file read when access to NSIP, Cluster Management IP, or SNIP with management access is enabled
  • CVE-2026-10817 (CVSS score: 6.9) – An insufficient input validation vulnerability leading to memory overread when TCP TimeStamp is enabled in TCP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
  • CVE-2026-13474 (CVSS score: 8.7) – A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler

Patches for the security defects have been released in the following versions –

  • NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
  • NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
  • NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP

As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams –

  • For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds. The fix is effective immediately after the upgrade.
  • For appliances NOT using HTTP Strict Profiles, the default value is 0. In this case, merely upgrading to the builds containing the fix will not address the vulnerability completely. Customers must manually set Http2SmallWndTimeout to 30 seconds.

The command to set this parameter is below –

set ns httpProfile  -http2SmallWndTimeout 

Cisco credited Michael Tucker from the XOR team at JPMorgan Chase,…


Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: July 1, 2026