NetScaler - Memory Disclosure (CVE-2026-3055)

CVE-2026-3055 is a critical memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider. Due to insufficient input validation, unauthenticated attackers can trigger an out-of-bounds read that leaks sensitive memory contents, including administrative session cookies, potentially enabling full appliance compromise.

CrowdSec has been tracking this vulnerability and its exploits since 30th of March 2026.

CrowdSec network observations suggest that most exploitation of CVE-2026-3055 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2026-3055 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2026-3055 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.

Attackers exploit the SAML IDP endpoints by sending crafted POST requests to /saml/login with a malicious SAMLRequest payload, or GET requests to /wsfed/passive?wctx with an empty parameter value, triggering memory overread that leaks sensitive data such as session cookies in the NSC_TASS cookie.