Memory Leaks and Mixed Sessions: NetScaler’s Critical 9.3 CVSS Flaw Demands Immediate Action

On March 23, 2026, Cloud Software Group released a high-priority security bulletin addressing two vulnerabilities in NetScaler Gateway and NetScaler ADC. The flaws, which affect all physical and virtual form factors, could lead to sensitive data exposure or unauthorized session access, prompting a strong recommendation for immediate firmware updates.

The more severe of the two, CVE-2026-3055, carries a CVSS score of 9.3 and stems from “insufficient input validation which may lead to memory overread”.

This critical flaw is specifically tied to NetScalers acting as a SAML Identity Provider (IDP). When configured this way, the system’s failure to properly validate input could allow an attacker to read data from the device’s memory.

“CVE-2026-3055 is implicated only if NetScaler Gateway or NetScaler ADC is configured as a SAML IDP,” the advisory clarifies.

Organizations can check for this risk by inspecting their configuration for the string: add authentication samlIdPProfile .*. Importantly, those configured as a SAML Service Provider (SP) are not impacted by this specific bug.

The second vulnerability, CVE-2026-4368, with a CVSS score of 7.7, is a “race condition leading to session mix up post user authentication”. This flaw is active if the NetScaler is configured as an AAA virtual server or a Gateway supporting SSL VPN, ICA Proxy, or RDP Proxy.

This “session mix-up” could potentially allow a user to inadvertently gain access to another user’s active session, compromising account integrity. You can determine if you have an appliance configured as either of these by inspecting their NetScaler Configuration for the following strings:

• An Auth Server (AAA Vserver): add authentication vserver .* 

• A Gateway (VPN Vserver,  ICA Proxy, CVPN, RDP Proxy): add vpn vserver .* 

The following versions of NetScaler ADC and NetScaler Gateway are currently listed as vulnerable:

• For CVE 2026-3055: All 14.1 versions before 14.1-66.59 and all 13.1 versions before 13.1-62.23.
• For CVE 2026-4368: Specifically version 14.1-66.54.

Cloud Software Group “strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the following updated versions as soon as possible”:

• NetScaler 14.1: Upgrade to 14.1-66.59 or later.
• NetScaler 13.1: Upgrade to 13.1-62.23 or later.
• FIPS and NDcPP Versions: Upgrade to 13.1.37.262 or later.

While there are currently no known active exploits for these flaws, the high CVSS scores make these updates a critical priority for any security team.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy