Citrix NetScaler Out-of-Bounds Read Vulnerability CVE-2026-3055 in CISA KEV
Summary
CISA added CVE-2026-3055, an out-of-bounds read vulnerability in Citrix NetScaler ADC and Gateway, to its Known Exploited Vulnerabilities catalog on March 30, 2026. The flaw affects systems configured as SAML Identity Providers and can lead to memory overread. Federal agencies were required to remediate by April 2, 2026.
Threat Analysis
CVE-2026-3055 is an out-of-bounds read vulnerability affecting Citrix NetScaler ADC, NetScaler Gateway, and NetScaler ADC FIPS and NDcPP products when configured as a SAML Identity Provider (IDP). The vulnerability can lead to memory overread, potentially exposing sensitive data or enabling further exploitation.
Affected Products: Citrix NetScaler ADC, NetScaler Gateway, and NetScaler ADC FIPS/NDcPP when configured as SAML IDP.
Exploitation Status: Actively exploited in the wild per CISA KEV listing. CISA added this vulnerability on March 30, 2026, with a remediation deadline of April 2, 2026 for federal agencies.
Recommended Mitigations: Apply Citrix security patches immediately. If SAML IDP configuration is not required, disable it to reduce attack surface. Follow CISA BOD 22-01 guidance and monitor Citrix security advisories for updated patches.