Citrix Patches NetScaler Vulnerabilities, Including New ‘HTTP/2 Bomb’ Attack

https://www.securityweek.com/wp-content/uploads/2023/07/Citrix-zero-day.jpg

Citrix on Tuesday announced fresh NetScaler ADC and NetScaler Gateway security updates that resolve six vulnerabilities, including the recent HTTP/2 Bomb flaw.

Four of the issues, tracked as CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, and CVE-2026-10816, are high-severity out-of-bounds read, memory overflow, and arbitrary file read bugs.

Tracked as CVE-2026-10816, the fifth is a medium-severity out-of-bounds read, while the sixth is HTTP/2 Bomb, a denial-of-service (DoS) exploit targeting Apache HTTP Server.

Tracked as CVE-2026-49975 and discovered using OpenAI’s Codex, HTTP/2 Bomb combines previously known attack techniques to knock web servers offline. Citrix assigned it a separate NetScaler-specific CVE identifier, CVE-2026-13474.

All these weaknesses were addressed in NetScaler ADC and NetScaler Gateway versions 14.1-72.61 and 13.1-63.18, NetScaler ADC FIPS version 14.1-72.61 FIPS, and in NetScaler ADC FIPS and NDcPP version 13.1-37.272.

Citrix points outthat each vulnerability has different configuration-specific preconditions and that customers should evaluate if their deployments have the vulnerable...

Copyright of this story solely belongs to securityweek.com. To see the full text click HERE