Citrix has identified a high-severity memory overread vulnerability (CVE-2026-8451, CVSS 8.8) affecting NetScaler ADC and NetScaler Gateway. The flaw stems from insufficient input validation, allowing unauthenticated attackers to trigger memory dumps and expose sensitive session data or credentials. This vulnerability is specifically critical for instances configured as a SAML Identity Provider (IdP). Active exploitation has been observed in the wild, mirroring the mechanics of the previous "CitrixBleed" exploit. Remediation requires immediate firmware updates to address this and five associated vulnerabilities, including CVE-2026-8452 and CVE-2026-13474, to prevent unauthorized resource access.
-
Vulnerability Overview: Technical Context
- Focuses on CVE-2026-8451, a memory overread flaw caused by poor input validation.
- Part of a larger cluster of six vulnerabilities impacting NetScaler ADC and Gateway appliances.
- Shares architectural similarities with "CitrixBleed," facilitating unauthorized information disclosure.
-
Mechanics: The SAML IdP Vector
- Risk is significantly elevated when the appliance is deployed specifically as a SAML Identity Provider (IdP).
- Enables attackers to dump memory regions containing sensitive runtime data via malformed inputs.
- Includes associated attack vectors for arbitrary file reads and Denial-of-Service (DoS) conditions.
-
Exploitation Status: Active Threats
- Threat intelligence confirms exploit attempts are currently active in the wild.
- Attackers are targeting unpatched instances to harvest active session tokens and administrative credentials.
- Categorized as high-severity due to the lack of authentication required to trigger the memory overread.
-
Impact: Potential Consequences
- Exposure of session cookies or cleartext credentials stored in memory.
- Potential for complete bypass of authentication, granting unauthorized access to protected internal resources.
- Risk of system instability or total service outage resulting from memory corruption or DoS attacks.
-
Remediation: Mitigation and Patching
- Immediate application of the latest Citrix security updates for all affected firmware builds.
- Audit of SAML IdP configurations to identify and harden exposed endpoints.
- Continuous monitoring for anomalous memory access patterns or unexpected session request spikes.
Related posts
- SecurityWeek — New CitrixBleed Vulnerability Exploited Immediately After Public Disclosure
- eSecurity Planet — CVE-2026-8451: Citrix NetScaler Vulnerability Leaks Memory
- cyberscoop.com — Citrix patches a new NetScaler flaw with echoes of CitrixBleed
- feeds.feedburner.com — Citrix Patches Six NetScaler Flaws Allowing File Read and Denial-of-Service
- penligent.ai — CVE-2026-8451, the NetScaler SAML IdP Memory Overread
- Support
- Beazley
- Csoonline
- Support
- Hkcert
- Mallory
- fieldeffect.com — New CitrixBleed-Like Flaw Exploited
- Labs
- Tenable
- Socradar