How to Fix CVE-2026-3055: Out-of-Bounds Read in ADC

By Sai Kiran Pandrala

Patch immediately. CISA added CVE-2026-3055 to the Known Exploited Vulnerabilities catalog on 2026-03-30. Federal civilian agencies must remediate by 2026-04-02. Treat every internet-reachable instance as a priority patch.

What is CVE-2026-3055?

CVE-2026-3055 is an Out-of-Bounds Read flaw in NetScaler ADC. It carries a CVSS base score of 9.3 (critical). CISA confirmed real-world exploitation by adding it to the Known Exploited Vulnerabilities catalog on 2026-03-30.

From the source record: Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread

Why it matters in practice: KEV-listed CVEs draw continuous internet-wide scanning. Any unpatched, internet-reachable installation is on borrowed time. The blast radius depends on how the affected service is exposed. An internet-facing instance with no compensating controls is the highest-risk configuration.

Am I affected?

You are affected if your installation of ADC matches a version listed in the Affected row above.

From the NetScaler/ADC CLI:

show version
show ns version

How to fix CVE-2026-3055

Apply the vendor patch. Target a build at or above: 37.262, 62.23, 66.59. The runnable command set below covers the most common deployment patterns for ADC.

Citrix NetScaler / ADC upgrade

# Vendor advisory: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2026_3055_and_CVE_2026_4368
shell
cd /var/nsinstall
mkdir build_<patched>; cd build_<patched>
# upload the .tgz via SCP, then
tar -xzvf build-<patched>.tgz
./installns
# After reboot:
show ns version

After applying the patch

1. Restart the service or device so the patched binary loads.
2. Confirm the running version matches the Fixed in row using the verification command below.
3. Rotate credentials and API keys that the affected service could access if the asset was exposed during the disclosure window.

If you can't patch immediately

Until the patch lands, narrow the attack surface with these runnable controls.

Restrict management-plane exposure

Block public access to the admin interface at the perimeter. Allow only trusted jump hosts and bastion IPs.

# Cisco IOS example: ACL on the management VTY
configure terminal
ip access-list standard MGMT-ACL
 permit 10.10.10.0 0.0.0.255
 deny any log
line vty 0 4
 access-class MGMT-ACL in
 end
write memory

On Linux jump hosts in front of the appliance, drop traffic from anything outside the admin range:

sudo iptables -A INPUT -p tcp --dport 443 -s 10.10.10.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j DROP
sudo iptables-save | sudo tee /etc/iptables/rules.v4

Mitigations are temporary. Apply the vendor patch as soon as a maintenance window opens.

How to verify the fix worked

Confirm the patched build is the one actually running.

show ns version

Expected: the build matches 37.262, 62.23, 66.59.

Also worth doing: pull recent log windows for any indicators of compromise listed in the vendor advisory, and re-run an authenticated vulnerability scan with up-to-date signatures.

Frequently asked questions

Related fixes

Other vulnerabilities in the same area that are worth patching alongside this one:

• How to Fix CVE-2026-22333: Deserialization RCE in YITH WooCommerce Compare — Deserialization RCE in YITH WooCommerce Compare
• How to Fix CVE-2026-4306: SQL Injection in WP Job Portal – AI-Powered Recruitment System for Company or Job Board website — SQL Injection in WP Job Portal – AI-Powered Recruitment System for Company or Job Board website
• How to Fix CVE-2026-24068: Authentication Bypass in Vienna Assistant , Authentication Bypass in Vienna Assistant
• How to Fix CVE-2026-27980: Next.js: Unbounded next/image disk cache growth can exhaust storage , Next.js: Unbounded next/image disk cache growth can exhaust storage
• How to Fix CVE-2026-30822: Improperly controlled modification of dynamically-determined object attributes in. , Improperly controlled modification of dynamically-determined object attributes in.

Is CVE-2026-3055 being exploited in the wild?

Yes. CISA added CVE-2026-3055 to the Known Exploited Vulnerabilities catalog on 2026-03-30. KEV listing means at least one confirmed real-world exploitation report exists.

Do I have to take downtime to patch?

For most NetScaler ADC deployments, the patched build needs a service restart or device reboot. HA pairs and clusters can roll the upgrade by patching the standby first, failing over, then patching the former primary.

Will a WAF or IDS rule alone close CVE-2026-3055?

No. Network filters cut down opportunistic scans but they do not remove the flaw. The vendor patch is the only durable fix.

Why is CVE-2026-3055 rated critical?

The CVSS base score of 9.3 reflects network reach, low attack complexity, and high impact on confidentiality, integrity, and availability. That combination is what the rating model maps to critical.

References

• Official vendor advisory: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2026_3055_and_CVE_2026_4368
• NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-3055
• CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• CISA KEV entry: "Citrix NetScaler Out-of-Bounds Read Vulnerability" - added 2026-03-30, due 2026-04-02
• Additional reference: https://labs.watchtowr.com/please-we-beg-just-one-weekend-free-of-appliances-citrix-netscaler-cve-2026-3055-memory-overread-part-2/
• Additional reference: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300

*Assembled from the official vendor advisory, the NVD record, and the CISA KEV listing on 2026-05-25. Always confirm against the vendor advisory before applying changes in production.*