All incidents

Citrix NetScaler out-of-bounds read flaw (CVE-2026-3055) actively exploited

vulnerabilityclosedMar 24, 2026 — Mar 31, 2026
Citrix NetScaler out-of-bounds read flaw (CVE-2026-3055) actively exploited

THE U.S. Cybersecurity and Infrastructure Security Agency has added CVE‑2026‑3055 to its Known Exploited Vulnerabilities catalogue after confirming that the flaw is being used in the wild, marking it as a pressing risk for organisations that run Citrix NetScaler ADC or Gateway appliances configured as a SAML identity provider.

Tracked as an out‑of‑bounds read with a CVSS v3.1 score of 9.3, the vulnerability stems from insufficient input validation in the SAML IDP handling code and can be triggered only when the appliance is explicitly configured to act as a SAML identity provider; default deployments are not affected. An unauthenticated remote attacker can cause the device to leak memory contents, potentially exposing authentication tokens or session data.

Citrix’s security bulletin notes that the flaw affects NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1‑66.59, 13.1 before 13.1‑62.23, and NetScaler ADC FIPS and NDcPP builds before 13.1‑37.262. The issue was disclosed on 23 March 2026 and exists only in customer‑managed instances; Citrix‑managed cloud services remain outside the scope of the vulnerability.

Independent researchers have observed active exploitation shortly after public disclosure, with WatchTowr reporting initial reconnaissance followed by confirmed memory‑leak attempts, and Infosecurity Magazine noting honeypot activity that matches the expected attack pattern. CISA’s entry in the KEV catalogue cites this in‑the‑wild use as the basis for its addition, although no specific threat actor has been attributed to the campaigns.

Defenders should apply the patches referenced in Citrix’s advisory Citrix security bulletin as a first step, verify whether any NetScaler appliance is configured as a SAML IDP and disable that role if it is not required, restrict management interfaces to trusted networks, and monitor logs for abnormal memory read anomalies. Organisations should also align their remediation timelines with the due dates indicated in the KEV catalogue.

Given the critical severity and confirmed field use, timely patching is essential; staying alert to further Citrix advisories and CISA updates will help administrators track any emerging details. Additional context on the exploitation timeline can be found in the weekly recap The Hacker News and the early‑exploitation report SecurityWeek.

Intelligence briefing updated Jun 16, 2026

CVE-2026-3055 9.3 KEV CVE-2026-4368 7.7
Root sourcesupport.citrix.com
Timeline Coverage

Swipe to explore timeline