
CITRIX has issued emergency updates for its NetScaler ADC and Gateway platforms after researchers warned of a new HTTP/2 Bomb flaw alongside several memory corruption bugs according to SecurityWeek.
The advisory identifies CVE-2026-8451, CVE-2026-8452 and CVE-2026-8655 each scoring CVSS 8.8 and involving out-of-bounds reads that could allow unauthenticated memory disclosure as detailed in Citrix’s KB article. CVE-2026-10816 is rated CVSS 7.1 and stems from a memory overflow in the packet processing engine. The HTTP/2 Bomb flaw, tracked as CVE-2026-13474, carries a CVSS 8.7 score and triggers a denial of service by forcing the server to allocate excessive resources when handling malformed HEADERS frames.
Exploitation of the memory overread vulnerabilities does not require authentication and can be triggered by sending specially crafted HTTP requests to a vulnerable NetScaler appliance. The flaws are only exploitable when certain features such as HTTP/2 enabled load balancing or SSL offloading are active, which narrows the attack surface but still leaves many deployments at risk. Citrix notes that the updates are available for NetScaler ADC and Gateway releases 14.1‑72.61 and 13.1‑63.18, urging administrators to apply them promptly.
To date, Citrix has not observed any of these flaws being exploited in the wild and no threat actor has been linked to the vulnerabilities. However, independent researchers at WatchTowr warned that CVE-2026-8451 could be chained with other weaknesses to achieve full device compromise if an attacker gains network access. The absence of detected attacks does not diminish the risk, especially for internet‑facing gateways that are frequently scanned for misconfigurations.
Administrators should first verify the exact version of their NetScaler appliances and compare it against the patched releases cited in the advisory. If a system is running an affected branch, the update must be downloaded from the Citrix download portal and applied during a maintenance window to avoid service disruption. After patching, it is prudent to review logs for unusual HTTP/2 frames or sudden spikes in resource consumption that could indicate attempted exploitation.
Organizations that cannot patch immediately should consider disabling HTTP/2 support on the affected virtual servers as a temporary mitigation while they schedule the upgrade. Continuous monitoring of traffic patterns and regular vulnerability scans will help ensure that any future anomalies are caught early.