CVE-2026-10817 Overview
CVE-2026-10817 is a memory overread vulnerability affecting Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. The flaw stems from insufficient input validation in TCP TimeStamp processing when the option is enabled in a TCP Profile bound to a virtual server of type Load Balancing (LB), Content Switching (CS), or VPN, or to a service configured on NetScaler. An unauthenticated remote attacker can trigger an out-of-bounds read [CWE-125] that leaks adjacent memory contents over the network. The issue is tracked under Citrix advisory CTX696604.
Critical Impact
An unauthenticated network-based attacker can read process memory from affected NetScaler devices without user interaction, potentially exposing sensitive runtime data.
Affected Products
- Citrix NetScaler Application Delivery Controller (including FIPS and NDcPP editions, e.g., 14.1-66.68 FIPS build)
- Citrix NetScaler Gateway
- Deployments where TCP TimeStamp is enabled in the TCP Profile bound to LB, CS, or VPN virtual servers or configured services
Discovery Timeline
- 2026-06-30 - CVE-2026-10817 published to the National Vulnerability Database
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-10817
Vulnerability Analysis
The vulnerability resides in the TCP stack path that processes the TCP TimeStamp option (RFC 7323) on NetScaler ADC and Gateway. When a TCP Profile with TimeStamp enabled is associated with a virtual server (LB, CS, VPN) or service, the packet parser fails to correctly validate input bounds. This allows a remote peer to influence the parser into reading beyond the intended buffer boundary. The attack requires only network reachability to the listening virtual server or service and no authentication or user interaction. The exposed memory can include transient data present in adjacent buffers, which may aid follow-on attacks.
Root Cause
The root cause is an out-of-bounds read [CWE-125] triggered by insufficient input validation of the TCP TimeStamp option fields. The processing routine trusts attacker-controlled length or offset semantics without verifying them against the actual buffer size, leading to memory overread during option handling.
Attack Vector
Exploitation is network-based and unauthenticated. An attacker sends specially crafted TCP segments containing malformed TimeStamp option data to any virtual server or service on the NetScaler where the associated TCP Profile has TimeStamp enabled. The device responds in a manner that reveals overread memory to the attacker. No specific privileges or interaction from an administrator or end user are required.
Because no verified public proof-of-concept is available, refer to the Citrix Knowledge Base Article CTX696604 for vendor-supplied technical detail.
// No verified public exploit code is available for CVE-2026-10817.
// The vulnerability is triggered by malformed TCP TimeStamp option
// values processed by an affected TCP Profile bound to an LB, CS,
// or VPN virtual server or service.
Detection Methods for CVE-2026-10817
Indicators of Compromise
- Unusual volumes of TCP segments to NetScaler VIPs containing malformed or oversized TimeStamp options (TCP option kind 8)
- Unexpected TCP resets or asymmetric responses from NetScaler virtual servers following crafted option payloads
- Repeated short-lived TCP connections from a single source targeting LB, CS, or VPN VIPs where TCP TimeStamp is enabled
Detection Strategies
- Deploy IDS/IPS signatures that inspect TCP option fields for malformed TimeStamp (kind 8, length 10) structures
- Correlate NetScaler newnslog and audit logs against network telemetry to identify anomalous option handling on VIPs bound to TimeStamp-enabled TCP Profiles
- Baseline normal TCP option distributions per virtual server and alert on statistical deviations
Monitoring Recommendations
- Enable full packet capture at ingress to NetScaler management and data-plane interfaces during triage windows
- Forward NetScaler syslog to a centralized SIEM and alert on repeated parsing errors or connection anomalies tied to specific TCP Profiles
- Monitor egress from NetScaler for unexpected data patterns that could indicate leaked memory content being returned to attackers
How to Mitigate CVE-2026-10817
Immediate Actions Required
- Inventory NetScaler ADC and Gateway appliances and identify TCP Profiles with TimeStamp enabled that are bound to LB, CS, VPN virtual servers or services
- Apply the fixed builds referenced in Citrix CTX696604 as soon as maintenance windows permit
- Restrict management plane exposure and place data-plane VIPs behind network controls that inspect malformed TCP options
Patch Information
Citrix has published guidance and fixed builds in the vendor advisory CTX696604. Administrators should upgrade affected NetScaler ADC and NetScaler Gateway appliances, including FIPS and NDcPP variants such as 14.1-66.68, to the versions listed in the advisory. FIPS-certified deployments should follow the vendor's certified upgrade path to preserve compliance.
Workarounds
- Disable TCP TimeStamp in TCP Profiles that are bound to LB, CS, or VPN virtual servers and services where the option is not operationally required
- Bind virtual servers to a TCP Profile that does not enable TimeStamp until patches are applied
- Limit exposure of affected VIPs to trusted networks using upstream ACLs while remediation is planned
# Example: create a TCP profile with TimeStamp disabled and bind it to a vserver
add ns tcpProfile tcp_no_ts -TimeStamp DISABLED
set lb vserver <vserver_name> -tcpProfileName tcp_no_ts
# Verify configuration
show ns tcpProfile tcp_no_ts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

