Citrix Addresses Critical NetScaler Vulnerabilities, Including New HTTP/2 Bomb Exploit

www.news4hackers.com-citrix-addresses-critical-netscaler-vulnerabilities-including-new-http-2-bomb-exploit-citrix-addresses-critical-netscaler-vulnerabilities-including-new-http-2-bomb-exploit

Citrix disclosed new security patches for its NetScaler ADC and NetScaler Gateway products on Tuesday, addressing six distinct vulnerabilities.

Overview of Vulnerabilities

Among these is a newly identified HTTP/2 Bomb attack vector that targets Apache HTTP Server implementations. The updates resolve issues categorized as high and medium severity, including out-of-bounds memory access, memory overflow, and arbitrary file read flaws.

Details of Affected Vulnerabilities

Four vulnerabilities were assigned CVE identifiers: CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, and CVE-2026-10816. These flaws involve out-of-bounds read operations, memory overflow conditions, and unauthorized file access. A fifth vulnerability, CVE-2026-10816, is classified as medium severity and also involves out-of-bounds memory access.

HTTP/2 Bomb Vulnerability

The sixth issue, designated as HTTP/2 Bomb, functions as a denial-of-service (DoS) exploit. Citrix assigned a separate identifier, CVE-2026-13474, to this vulnerability, which leverages techniques previously documented in the cybersecurity community. The HTTP/2 Bomb vulnerability was identified using OpenAI’s Codex tool and combines existing attack methodologies to disrupt web server operations.

Resolutions and Affected Versions

Citrix confirmed that the affected vulnerabilities were resolved in specific software versions: NetScaler ADC and Gateway versions 14.1-72.61 and 13.1-63.18, NetScaler ADC FIPS version 14.1-72.61 FIPS, and NetScaler ADC FIPS and NDcPP version 13.1-37.272. Citrix emphasized that each vulnerability requires specific configuration conditions to be exploited.

Recommendations for Customers

Customers are advised to review their deployments to determine if vulnerable features are active. Attack surface management firm watchTowr highlighted CVE-2026-8451, which carries a CVSS score of 8.8, as part of the CitrixBleed series of flaws. This particular vulnerability affects the XML parser in NetScaler, enabling unauthorized memory access in HTTP responses.

watchTowr noted that successful exploitation could lead to data leakage, including memory pointers that, when paired with memory corruption issues, might result in full system compromise.

Additional Vulnerabilities and Industry Trends

Organizations utilizing self-managed NetScaler ADC, NetScaler Gateway, or Citrix Secure Private Access Hybrid deployments are urged to apply the latest patches promptly. Additional vulnerabilities impacting other systems were also addressed in separate updates, including flaws in Google Chrome, Oracle E-Business Suite, and the SimpleHelp platform.

Researchers have observed active exploitation of these issues, underscoring the urgency of mitigation efforts. Citrix’s updates follow broader industry trends of rapid vulnerability disclosure and patching, reflecting the evolving threat landscape. Enterprises are encouraged to prioritize timely implementation of security updates to minimize exposure to emerging risks.



About Author

en_USEnglish