CVE-2026-3055
Memory Overread in NetScaler ADC/Gateway SAML IDP Due to Input Validation
Publication date: 2026-03-23
Last updated on: 2026-03-31
Assigner: 50a63c94-1ea7-4568-8c11-eb79e7c5a2b5
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| citrix | netscaler_application_delivery_controller | From 13.1 (inc) to 13.1-62.23 (exc) |
| citrix | netscaler_application_delivery_controller | From 14.1 (inc) to 14.1-60.58 (exc) |
| citrix | netscaler_application_delivery_controller | From 13.1 (inc) to 13.1-37.262 (exc) |
| citrix | netscaler_application_delivery_controller | From 13.1 (inc) to 13.1-37.262 (exc) |
| citrix | netscaler_gateway | From 13.1 (inc) to 13.1-62.23 (exc) |
| citrix | netscaler_gateway | From 14.1 (inc) to 14.1-60.58 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or avoiding the configuration of Citrix NetScaler appliances as SAML Identity Providers (IdP), as this configuration is inherently insecure for this vulnerability.
Administrators should monitor for exploitation attempts using detection artifacts and block suspicious traffic targeting the vulnerable endpoints `/saml/login` and `/wsfed/passive?wctx`.
Applying any available patches or updates from Citrix addressing this vulnerability is critical once released.
Until patches are applied, consider implementing network-level controls such as firewall rules or web application firewall (WAF) policies to block or restrict access to the vulnerable endpoints.
Can you explain this vulnerability to me?
CVE-2026-3055 involves multiple memory overread vulnerabilities in Citrix NetScaler appliances, specifically when configured as a SAML Identity Provider (IdP). The vulnerability affects endpoints such as `/saml/login` and `/wsfed/passive?wctx`.
One key flaw occurs when a crafted HTTP GET request includes the `wctx` query parameter that is present but empty and lacks an equals sign (`=`). The vulnerable appliance incorrectly checks only for the presence of this parameter without verifying if it contains a value, leading to access of uninitialized or 'dead' memory.
This causes the appliance to leak kilobytes of memory, which is base64-encoded and returned in the `NSC_TASS` cookie. The leaked memory can contain sensitive information such as HTTP headers, session IDs, and potentially authenticated administrative session tokens.
The memory content varies with each request, allowing attackers to repeatedly extract different chunks of sensitive data. Exploitation has been observed in the wild starting from March 27, 2026.
How can this vulnerability impact me? :
This vulnerability can lead to the disclosure of sensitive information from the NetScaler appliance's memory. Attackers can extract HTTP headers, session IDs, and authenticated administrative session tokens.
Such information leakage can allow attackers to hijack sessions, gain unauthorized administrative access, and potentially compromise the security of the network and connected systems.
Because the memory content changes with each request, attackers can repeatedly exploit this flaw to gather a wide range of sensitive data over time.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
CVE-2026-3055 can be detected by monitoring for crafted HTTP GET requests to the endpoints `/saml/login` and `/wsfed/passive?wctx` on Citrix NetScaler appliances configured as SAML Identity Providers. Specifically, detection focuses on requests where the `wctx` query parameter is present but empty and lacks an equals sign (`=`).
These requests cause the appliance to leak base64-encoded memory content in the `NSC_TASS` cookie, which can be inspected to confirm exploitation attempts.
A Detection Artifact Generator has been released by researchers to help identify vulnerable hosts and ongoing exploitation.
- Monitor HTTP GET requests to `/wsfed/passive?wctx` with an empty `wctx` parameter.
- Inspect responses for the presence of the `NSC_TASS` cookie containing base64-encoded data.
- Look for unusual or repeated requests containing the `Citrix-ns-orig-srcip` header, which may indicate internal exploitation attempts.
While specific commands are not provided in the resources, network administrators can use tools like curl or tcpdump to capture and analyze HTTP traffic to these endpoints, filtering for the described patterns.