CVE-2026-3055

CriticalCISA KEVActive ExploitationPublic PoC

Published: 23 March 2026

Published

23 March 2026

Modified

31 March 2026

KEV Added

30 March 2026

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.7061 98.7th percentile

Risk Priority 82 60% EPSS · 20% KEV · 20% CVSS

Description

Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly enforces comprehensive input validation mechanisms to prevent memory overreads from malformed SAML inputs in NetScaler ADC/Gateway.

SI-16 Memory Protection good match

prevent

Implements security safeguards to protect system memory from unauthorized access, directly mitigating the memory overread vulnerability.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of flaws like this CVE through timely patching as per vendor advisory.

Security SummaryAI

CVE-2026-3055 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) stemming from insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider (IDP), leading to a memory overread classified under CWE-125. Published on 2026-03-23, it affects these Citrix components in the specified configuration.

The vulnerability enables remote attackers to exploit it with low complexity, requiring no privileges, user interaction, or special conditions. Exploitation results in high impacts across confidentiality, integrity, and availability, potentially allowing attackers to read sensitive memory contents and disrupt system operations.

Mitigation details are outlined in the official Citrix advisory at CTX696300. Further technical analysis appears in Watchtower Labs' coverage, and the vulnerability is included in CISA's Known Exploited Vulnerabilities catalog.

Details

CWE(s): CWE-125
KEV Date Added: 30 March 2026

Affected Products

citrix

netscaler application delivery controller

13.1 — 13.1-37.262 · 13.1 — 13.1-37.262 · 13.1 — 13.1-62.23

citrix

netscaler gateway

13.1 — 13.1-62.23 · 14.1 — 14.1-60.58

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a remotely exploitable flaw in a public-facing NetScaler ADC/Gateway SAML IDP with no privileges required, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300
Vendor Advisory · 50a63c94-1ea7-4568-8c11-eb79e7c5a2b5
https://labs.watchtowr.com/please-we-beg-just-one-weekend-free-of-appliances-citrix-netscaler-cve-2026-3055-memory-overread-part-2/
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3055
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0