What is CVE-2026-3055?

CVE-2026-3055 is an out-of-bounds read (CWE-125) in NetScaler ADC and NetScaler Gateway when the appliance is configured as a SAML Identity Provider (IDP). Insufficient input validation on a field in the SAML flow causes the appliance to read past the end of an allocated buffer and return that memory — including uninitialized bytes and leftover session data — back to the attacker in the HTTP response.

Is CVE-2026-3055 being actively exploited?

Yes. CISA added CVE-2026-3055 to the KEV catalog on March 30, 2026, only a week after Citrix published the bulletin, with a federal remediation deadline of April 2 — a three-day window that signals observed in-the-wild exploitation at scale.

Am I exposed to CVE-2026-3055?

The flaw is only exploitable when the appliance is configured as a SAML IDP or SAML SP with IDP functionality enabled. The affected builds are:

How do I fix CVE-2026-3055?

These branches are end-of-life and will not receive a patch. Move to a supported branch as part of the same change window.

CVE-2026-3055: Citrix NetScaler SAML IDP Memory Overread — CitrixBleed 3 Under Active Exploitation

By the Pinaka team — April 16, 2026

CVE-2026-3055 is a critical (CVSS v4.0 9.3) out-of-bounds read vulnerability in Citrix NetScaler ADC and NetScaler Gateway configured as a SAML Identity Provider. Insufficient input validation lets an unauthenticated network attacker trigger a memory overread, exfiltrating session tokens, authentication cookies, and SAML assertions from process memory — the same class of bug as the original CitrixBleed (CVE-2023-4966). Added to CISA KEV on March 30, 2026 with a 3-day federal remediation deadline. Fixed in NetScaler 14.1-66.59, 13.1-62.23, and 13.1-FIPS/NDcPP 37.262. Paired with CVE-2026-4368 under Citrix bulletin CTX696300.

Topics: CVE Analysis, Citrix, NetScaler, SAML, Memory Disclosure, CISA KEV, CitrixBleed

Read full analysis