Zero-Day Security Alert — March 31, 2026: Citrix NetScaler Actively Exploited Memory Overread

Daily Security Briefing

March 31, 2026

CVE-2026-3055 | CVSS 9.3 | CRITICAL Severity | Actively Exploited (CISA KEV)

Affected Product

Citrix NetScaler ADC and NetScaler Gateway (all versions when configured as a SAML Identity Provider)

Description

An out-of-bounds read vulnerability exists in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider (IDP). Insufficient input validation allows an unauthenticated remote attacker to trigger a memory overread, potentially exposing sensitive data from server memory. This vulnerability is confirmed to be actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities catalog.

Attack Vector

Network-based. No authentication or user interaction is required. The attacker sends crafted requests to a NetScaler appliance configured as a SAML IDP. Attack complexity is low. The vulnerability can be exploited remotely by any unauthenticated attacker who can reach the appliance over the network.

Remediation

Apply the vendor-supplied patch immediately. Citrix has published remediation guidance in advisory CTX696300 at support.citrix.com. Organizations using NetScaler ADC or Gateway as a SAML IDP should prioritize patching. If immediate patching is not possible, consider temporarily disabling the SAML IDP configuration until the update can be applied. Review logs for indicators of exploitation.

CISA Remediation Due Date: April 2, 2026

This report is generated automatically from NVD and CISA KEV data.