(picussecurity.com) CVE-2026-3055 'CitrixBleed 3': Critical Unauthenticated Memory Overread in Citrix NetScaler SAML IdP Path

orlysec@swecyb.com

(picussecurity.com) CVE-2026-3055 'CitrixBleed 3': Critical Unauthenticated Memory Overread in Citrix NetScaler SAML IdP Path

Critical unauthenticated memory overread vulnerability CVE-2026-3055 ('CitrixBleed 3') actively exploited in Citrix NetScaler ADC/Gateway SAML IdP deployments. CVSS v4.0 9.3 flaw leaks session tokens, SAML assertions, and LDAP credentials via NSC_TASS cookie. Patch immediately.

In brief - CVE-2026-3055 enables pre-authentication memory disclosure in NetScaler SAML IdP paths, exposing sensitive credentials and session material. Actively exploited; CISA KEV-listed. Patch to 14.1-66.59/13.1-62.23/13.1-FIPS 13.1-37.262 and rotate all credentials on exposed systems.

Technically - Two exploitation primitives: (1) malformed SAMLRequest to /saml/login omitting AssertionConsumerServiceURL triggers CWE-125 out-of-bounds read, leaking heap memory in NSC_TASS; (2) valueless wctx parameter to /wsfed/passive dereferences uninitialized buffer. Companion CVE-2026-4368 (CWE-362) race condition enables cross-user session hijacking on 14.1-66.54. Detect via anomalous NSC_TASS sizes, malformed SAMLRequest payloads, and /wsfed/passive?wctx URI patterns.

Source: https://www.picussecurity.com/resource/blog/cve-2026-3055-cve-2026-4368-inside-the-netscaler-citrixbleed-3-memory-overread

#Cybersecurity #ThreatIntel