NCSC-2026-0216
Vulnerability from csaf_ncscnl - Published: 2026-06-30 20:43 - Updated: 2026-06-30 20:43A memory overread vulnerability exists in NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider due to insufficient input validation.
CWE-125 - Out-of-bounds Read| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
NetScaler / ADC
|
vers:unknown/* | ||
|
vers:unknown/*
NetScaler / Gateway
|
vers:unknown/* |
A memory overflow vulnerability in NetScaler ADC and NetScaler Gateway, when configured as Gateway or AAA virtual servers, can lead to unpredictable behavior and denial of service conditions.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
NetScaler / ADC
|
vers:unknown/* | ||
|
vers:unknown/*
NetScaler / Gateway
|
vers:unknown/* |
Multiple memory overflow vulnerabilities in NetScaler ADC and NetScaler Gateway can cause unpredictable behavior and denial of service when configured as Oracle load balancer, DNS proxy, or DNS recursive resolver.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
NetScaler / ADC
|
vers:unknown/* | ||
|
vers:unknown/*
NetScaler / Gateway
|
vers:unknown/* |
An unauthenticated arbitrary file read vulnerability affects NetScaler ADC and NetScaler Gateway when management access is enabled on NSIP, Cluster Management IP, or SNIP interfaces.
CWE-73 - External Control of File Name or Path| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
NetScaler / ADC
|
vers:unknown/* | ||
|
vers:unknown/*
NetScaler / Gateway
|
vers:unknown/* |
Insufficient input validation in NetScaler ADC and Gateway with TCP TimeStamp enabled can lead to memory overread issues when used with specific virtual servers or services.
CWE-125 - Out-of-bounds Read| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
NetScaler / ADC
|
vers:unknown/* | ||
|
vers:unknown/*
NetScaler / Gateway
|
vers:unknown/* |
A denial of service vulnerability in NetScaler ADC and NetScaler Gateway occurs when HTTP/2 is enabled in the HTTP Profile and linked to virtual servers or services, triggered by malformed HTTP/2 requests.
CWE-401 - Missing Release of Memory after Effective Lifetime| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
NetScaler / ADC
|
vers:unknown/* | ||
|
vers:unknown/*
NetScaler / Gateway
|
vers:unknown/* |
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Citrix heeft kwetsbaarheden verholpen in NetScaler ADC en NetScaler Gateway die verband houden met onvoldoende invoervalidatie, onjuiste toegangscontrole en het onjuist vrijgeven van geheugen.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden met de kenmerken CVE-2026-8451 en CVE-2026-10817 ontstaan door onvoldoende invoervalidatie, waarbij de software invoergroottes en -grenzen niet correct controleert. Dit kan leiden tot geheugenoverlezingen, wat kan resulteren in ongeautoriseerde openbaarmaking van gevoelige informatie, wanneer de producten zijn geconfigureerd als SAML IDP, of als TCP TimeStamp is ingeschakeld bij een TCP-profiel dat is gekoppeld aan een virtuele server van het type: Load Balancing (LB), Content Switching (CS) of VPN.\n\nDe kwetsbaarheden met de kenmerken CVE-2026-8452 en CVE-2026-8655 bevinden zich in de manier waarop geheugen wordt beheerd in NetScaler ADC en NetScaler Gateway. Dit kan leiden tot een denial-of-service (DoS) of een ongewenste control flow wanneer de producten zijn geconfigureerd als Gateway, DNS-proxy, recursieve DNS-resolver of AAA-virtuele server.\n\nDe kwetsbaarheid met het kenmerk CVE-2026-13474 ontstaat door het onjuist vrijgeven van geheugen. Kwaadwillenden kunnen deze kwetsbaarheid misbruiken door via speciaal geprepareerde HTTP/2-verzoeken een denial-of-service (DoS) te veroorzaken.\n\nDe kwetsbaarheid met het kenmerk CVE-2026-10816 betreft een probleem met de toegangscontrole binnen de Management Interface. Niet-geauthenticeerde kwaadwillenden op afstand kunnen de kwetsbaarheid misbruiken om willekeurige bestanden uit te lezen. Dit kan resulteren in ongeautoriseerde openbaarmaking van gevoelige informatie.\n\nOnderzoekers hebben Proof-of-Concept (PoC) code gedeeld waarmee de kwetsbaarheid met kenmerk CVE-2026-8451 kan worden aangetoond.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Citrix heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Het NCSC adviseert organisaties om de door Citrix beschikbaar gestelde beveiligingsupdate op korte termijn te installeren. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "External Control of File Name or Path",
"title": "CWE-73"
},
{
"category": "general",
"text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
"title": "CWE-119"
},
{
"category": "general",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "general",
"text": "Missing Release of Memory after Effective Lifetime",
"title": "CWE-401"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604"
}
],
"title": "Kwetsbaarheden verholpen in Citrix Netscaler ADC en Netscaler Gateway",
"tracking": {
"current_release_date": "2026-06-30T20:43:47.142939Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2026-0216",
"initial_release_date": "2026-06-30T20:43:47.142939Z",
"revision_history": [
{
"date": "2026-06-30T20:43:47.142939Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "ADC"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "Gateway"
}
],
"category": "vendor",
"name": "NetScaler"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-8451",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "description",
"text": "A memory overread vulnerability exists in NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider due to insufficient input validation.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-8451 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-8451.json"
}
],
"title": "CVE-2026-8451"
},
{
"cve": "CVE-2026-8452",
"notes": [
{
"category": "description",
"text": "A memory overflow vulnerability in NetScaler ADC and NetScaler Gateway, when configured as Gateway or AAA virtual servers, can lead to unpredictable behavior and denial of service conditions.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:L",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-8452 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-8452.json"
}
],
"title": "CVE-2026-8452"
},
{
"cve": "CVE-2026-8655",
"notes": [
{
"category": "description",
"text": "Multiple memory overflow vulnerabilities in NetScaler ADC and NetScaler Gateway can cause unpredictable behavior and denial of service when configured as Oracle load balancer, DNS proxy, or DNS recursive resolver.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:L",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-8655 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-8655.json"
}
],
"title": "CVE-2026-8655"
},
{
"cve": "CVE-2026-10816",
"cwe": {
"id": "CWE-73",
"name": "External Control of File Name or Path"
},
"notes": [
{
"category": "other",
"text": "External Control of File Name or Path",
"title": "CWE-73"
},
{
"category": "description",
"text": "An unauthenticated arbitrary file read vulnerability affects NetScaler ADC and NetScaler Gateway when management access is enabled on NSIP, Cluster Management IP, or SNIP interfaces.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-10816 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-10816.json"
}
],
"title": "CVE-2026-10816"
},
{
"cve": "CVE-2026-10817",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "description",
"text": "Insufficient input validation in NetScaler ADC and Gateway with TCP TimeStamp enabled can lead to memory overread issues when used with specific virtual servers or services.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-10817 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-10817.json"
}
],
"title": "CVE-2026-10817"
},
{
"cve": "CVE-2026-13474",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"notes": [
{
"category": "other",
"text": "Missing Release of Memory after Effective Lifetime",
"title": "CWE-401"
},
{
"category": "description",
"text": "A denial of service vulnerability in NetScaler ADC and NetScaler Gateway occurs when HTTP/2 is enabled in the HTTP Profile and linked to virtual servers or services, triggered by malformed HTTP/2 requests.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-13474 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-13474.json"
}
],
"title": "CVE-2026-13474"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.