Changeflow GovPing Data Privacy & Cybersecurity Citrix NetScaler CVE-2026-3055 Critical Memory ...
Urgent Notice Added Final

Citrix NetScaler CVE-2026-3055 Critical Memory Overread Vulnerability

Favicon for www.cisa.gov CISA Known Exploited Vulnerabilities (KEV)
Published March 31st, 2026
Detected March 31st, 2026
Email

Summary

CISA added CVE-2026-3055 to the Known Exploited Vulnerabilities catalog. This critical memory overread vulnerability (CVSS 9.3) affects Citrix NetScaler ADC and Gateway when configured as SAML IDP. Affected versions include 14.1 before 66.59 and 13.1 before 62.23. CISA confirms active exploitation with automatable attack capability and total system impact potential.

View original document View source feed page

What changed

CISA KEV catalog added CVE-2026-3055, a critical memory overread vulnerability in Citrix NetScaler ADC and Gateway when configured as SAML IDP. Insufficient input validation allows memory overread (CWE-125). CVSS 4.0 score is 9.3 (CRITICAL) with network-exploitable, low-complexity attack vector. Exploitation is confirmed active with total system impact potential.

Organizations running affected NetScaler versions must patch immediately to 14.1-66.59, 13.1-62.23, or later. Federal agencies should apply patches within 21 days per BOD 22-01 requirements. Given the active exploitation status and automatable attack vector, immediate remediation is critical regardless of organizational type.

What to do next

  1. Identify all NetScaler ADC and Gateway deployments configured as SAML IDP
  2. Check running versions against affected ranges (14.1 before 66.59, 13.1 before 62.23)
  3. Apply vendor patches to remediate CVE-2026-3055 immediately

Source document (simplified)

Required CVE Record Information

CNA: NetScaler

Description

Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread

CWE 1 Total

Learn more
- CWE-125: CWE-125 Out-of-bounds Read

CVSS 1 Total

Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 9.3 | CRITICAL | 4.0 | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L |

Product Status

Learn more Versions 3 Total

Default Status: unaffected

affected

  • affected from 14.1 before 66.59

  • affected from 13.1 before 62.23

  • affected from 13.1 FIPS and NDcPP before 37.262
    Versions 2 Total

Default Status: unaffected

affected

  • affected from 14.1 before 66.59

  • affected from 13.1 before 62.23

References 1 Total

Authorized Data Publishers

Learn more

CISA-ADP

Updated:

2026-03-31

SSVC and KEV, plus CVSS and CWE if not provided by the CNA.

SSVC 1 Total

Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | yes | total | 2.0.3 | 2026-03-23 |

KEV 1 Total

Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3055 (2026-03-30)

Named provisions

KEV Catalog Entry SSVC Assessment

Related changes

Favicon for www.cisa.gov CISA KEV: Trivy Supply Chain Attack - Credential Theft
Urgent Mar 27, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov Langflow Code Injection Vulnerability CVE-2026-33017
Urgent Mar 26, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA KEV: Cisco FMC Vulnerability Allows Root Java Code Execution (CVE-2026-20131)
Urgent Mar 20, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov CVE-2026-3055 Citrix NetScaler Out-of-Bounds Read Added to KEV Catalog
Urgent Mar 30, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.sifma.org Quantum Dawn VIII Cybersecurity Exercise - Financial Sector Readiness
Routine Mar 30, 2026 SIFMA Resources Securities & Markets
Favicon for www.cert.ssi.gouv.fr Multiple Microsoft Product Vulnerabilities Advisory
Priority review Mar 30, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity

Source

Favicon for www.cisa.gov
CISA Known Exploited Vulnerabilities (KEV) cisa.gov/known-exploited-vulnerabilities-catalog
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CISA
Published
March 31st, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Minor
Document ID
CVE-2026-3055

Who this affects

Applies to
Government agencies Technology companies
Industry sector
5112 Software & Technology 3341 Computer & Electronics Manufacturing
Activity scope
Vulnerability Management Patch Management
Threshold
NetScaler ADC or Gateway configured as SAML IDP; versions 14.1 before 66.59 or 13.1 before 62.23
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Critical Infrastructure

Browse Categories

Agriculture & Food Safety 63 AI Regulation 3 Banking & Finance 266 Consumer & Competition 1 Consumer Protection 44 Courts & Legal 360 Data Privacy & Cybersecurity 74 Defense & National Security 52 Education 20 Energy 107 Environment 85 Government & Legislation 285 Healthcare 136 Housing 16 Immigration 9 Insurance 58 Labor & Employment 114 Legal & Courts 1 Pharma & Drug Safety 103 Securities & Markets 104 Tax 65 Tax & Revenue 1 Telecom & Technology 47 Trade & Sanctions 124 Transportation 57

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.

Optional. Personalizes your daily digest.

Free. Unsubscribe anytime.