Citrix NetScaler CVE-2026-3055: Out-of-Bounds Read Vulnerability Exploited in Wild
Summary
CVE-2026-3055 is an out-of-bounds read vulnerability in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, leading to memory overread. CISA added this to the Known Exploited Vulnerabilities catalog on March 30, 2026, with a remediation deadline that has already passed (April 2, 2026), indicating urgent patching is required.
Threat Analysis
CVE-2026-3055 affects Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway), and NetScaler ADC FIPS and NDcPP editions. The vulnerability is an out-of-bounds read that occurs when the product is configured as a SAML Identity Provider (IDP), leading to memory overread conditions.
Affected Products: Citrix NetScaler ADC, NetScaler Gateway, NetScaler ADC FIPS, and NetScaler NDcPP in SAML IDP configurations.
Exploitation Status: Actively exploited in the wild. CISA added to KEV catalog on March 30, 2026. The federal remediation deadline of April 2, 2026 has passed, indicating organizations should treat this as an emergency patch.
Context: Citrix NetScaler products are widely deployed in enterprise environments as network access controllers and VPN gateways, making them high-value targets for threat actors seeking initial access to corporate networks.
Recommended Mitigations: Apply Citrix security patches immediately. If SAML IDP functionality is not required, consider disabling it as a temporary mitigation. Review NetScaler access logs for anomalous authentication patterns. Implement network monitoring for unusual traffic patterns from NetScaler appliances.