Citrix has rolled out crucial security updates for its NetScaler ADC and NetScaler Gateway products, addressing a total of six vulnerabilities, including the newly identified and potentially disruptive HTTP/2 Bomb attack.
Overview of Addressed Vulnerabilities
The security patches resolve several high-risk vulnerabilities, specifically designated as CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, and CVE-2026-10816. These issues involve risks like out-of-bounds read, memory overflow, and arbitrary file reads, posing significant threats if exploited.
Additionally, a medium-severity vulnerability tracked as CVE-2026-10816 has been resolved. The most notable of these, however, is the HTTP/2 Bomb, a denial-of-service (DoS) exploit targeting the Apache HTTP Server, which Citrix has specifically addressed in the latest updates.
Details of the HTTP/2 Bomb Vulnerability
Identified as CVE-2026-49975 and discovered through OpenAI’s Codex, the HTTP/2 Bomb vulnerability uses a combination of known attack strategies to incapacitate web servers. Citrix has issued a unique CVE identifier, CVE-2026-13474, for this particular weakness in NetScaler systems.
The vulnerabilities have been patched in multiple versions, including NetScaler ADC and NetScaler Gateway versions 14.1-72.61 and 13.1-63.18, and specific FIPS and NDcPP versions. Citrix advises customers to assess the configurations of their deployments to determine if they are affected by these vulnerabilities.
Recommendations for Citrix Customers
Security firm watchTowr has emphasized the importance of addressing CVE-2026-8451, which has a CVSS score of 8.8 and is part of the CitrixBleed series. This vulnerability affects NetScaler’s XML parser, potentially leading to unauthorized memory access and data exposure.
For successful exploitation, this flaw requires specific conditions, such as the NetScaler instance being configured as a SAML IDP. An attacker could leverage this vulnerability to extract sensitive data, potentially compromising the entire device.
Citrix encourages all organizations utilizing self-managed NetScaler ADC, NetScaler Gateway, and Citrix Secure Private Access Hybrid environments to implement the latest patches promptly to protect their systems from potential threats.
Staying updated with these security measures is crucial for maintaining the integrity and security of NetScaler deployments. Organizations should prioritize these updates to mitigate risks associated with these vulnerabilities.
