Citrix Patches NetScaler Vulnerabilities, Including New ‘HTTP/2 Bomb’ Attack
Citrix on Tuesday announced fresh NetScaler ADC and NetScaler Gateway security updates that resolve six vulnerabilities, including the recent HTTP/2 Bomb flaw.
Four of the issues, tracked as CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, and CVE-2026-10816, are high-severity out-of-bounds read, memory overflow, and arbitrary file read bugs.
Tracked as CVE-2026-10816, the fifth is a medium-severity out-of-bounds read, while the sixth is HTTP/2 Bomb, a denial-of-service (DoS) exploit targeting Apache HTTP Server.
Tracked as CVE-2026-49975 and discovered using OpenAI’s Codex, HTTP/2 Bomb combines previously known attack techniques to knock web servers offline. Citrix assigned it a separate NetScaler-specific CVE identifier, CVE-2026-13474.
All these weaknesses were addressed in NetScaler ADC and NetScaler Gateway versions 14.1-72.61 and 13.1-63.18, NetScaler ADC FIPS version 14.1-72.61 FIPS, and in NetScaler ADC FIPS and NDcPP version 13.1-37.272.
Citrix points outthat each vulnerability has different configuration-specific preconditions and that customers should evaluate if their deployments have the vulnerable...
Copyright of this story solely belongs to securityweek.com. To see the full text click HERE