ON October 3, 2023, Citrix announced critical security updates for its NetScaler ADC and NetScaler Gateway products addressing six vulnerabilities, including the severe HTTP/2 Bomb flaw. Notable issues include four high-severity vulnerabilities related to out-of-bounds reads and memory overflows, tracked as CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, and CVE-2026-10816. The HTTP/2 Bomb, also assigned CVE-2026-13474, targets specific web servers with denial-of-service exploits.
Citrix urges customers to apply the new patches in versions 14.1-72.61 and 13.1-63.18 because the vulnerabilities require certain configurations to be exploited. WatchTowr, an attack surface management firm, highlighted CVE-2026-8451, emphasizing its potential to lead to full device compromise if exploited.