Cyber Resilience

CVE-2026-3055

CriticalCISA KEVActive ExploitationEUVD ExploitedUK NCSC AlertPublic PoC

Published: 23 March 2026

Published
23 March 2026
Modified
31 March 2026
KEV Added
30 March 2026
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.8400 99.7th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-3055 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Citrix Netscaler Application Delivery Controller. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-3055 is an out-of-bounds memory read (CWE-125) caused by insufficient input validation in Citrix NetScaler ADC and NetScaler Gateway when those appliances are configured as SAML identity providers. The flaw carries a CVSS 4.0 score of 9.3 and affects the SAML assertion handling path, allowing an unauthenticated remote attacker to read memory contents beyond intended boundaries.

An attacker who can reach the SAML IDP endpoint can supply a crafted request that triggers the overread. Successful exploitation yields disclosure of sensitive memory regions, which may contain session tokens, cryptographic material, or other data that can be leveraged to escalate to full compromise of the affected appliance.

Citrix security bulletin CTX696300 describes the affected versions and provides patched builds; administrators are advised to apply the vendor updates or implement the recommended configuration mitigations. The vulnerability is also listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.

The EPSS score has remained at its observed peak of 0.8992 since disclosure, indicating sustained exploitation interest.

EU & UK References

Vulnerability details

Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread

CWE(s)
KEV Date Added
30 March 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remotely exploitable flaw in a public-facing NetScaler ADC/Gateway SAML IDP with no privileges required, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-7775Same product: Citrix Netscaler Application Delivery Controllerboth on KEV
CVE-2023-4966Same product: Citrix Netscaler Application Delivery Controllerboth on KEV
CVE-2025-7776Same product: Citrix Netscaler Application Delivery Controller
CVE-2025-0282Same product class: VPN / SSL gatewayboth on KEV
CVE-2024-55591Same product class: VPN / SSL gatewayboth on KEV
CVE-2026-24858Same product class: VPN / SSL gatewayboth on KEV
CVE-2025-24472Same product class: VPN / SSL gatewayboth on KEV
CVE-2025-0111Same product class: VPN / SSL gatewayboth on KEV
CVE-2025-59718Same product class: VPN / SSL gatewayboth on KEV
CVE-2025-0108Same product class: VPN / SSL gatewayboth on KEV

Affected Assets

citrix
netscaler application delivery controller
13.1 — 13.1-37.262 · 13.1 — 13.1-37.262 · 13.1 — 13.1-62.23
citrix
netscaler gateway
13.1 — 13.1-62.23 · 14.1 — 14.1-60.58

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the SAML IDP assertion handler, eliminating the malformed request that triggers the out-of-bounds memory read.

prevent

Enforces memory-access protections that block or contain the out-of-bounds read in the SAML processing path before sensitive data can be disclosed.

prevent

Mandates prompt installation of the vendor patches listed in CTX696300, removing the insufficient-validation flaw from the affected NetScaler builds.

References