Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-13474

CVE-2026-13474: Citrix NetScaler ADC DoS Vulnerability

CVE-2026-13474 is a denial of service vulnerability in Citrix NetScaler ADC caused by malformed HTTP/2 requests. Attackers can exploit this flaw when HTTP/2 is enabled. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-13474 Overview

CVE-2026-13474 is a denial-of-service vulnerability affecting Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. Malformed HTTP/2 requests can exhaust resources on affected appliances, causing service disruption. The flaw is exploitable when HTTP/2 is enabled in the HTTP Profile and associated with a virtual server of type Load Balancing (LB), Content Switching (CS), or VPN, or with a service configured on NetScaler.

The vulnerability is tracked under [CWE-401] (Missing Release of Memory after Effective Lifetime), indicating a memory leak triggered by malformed protocol input. It is unauthenticated and network-reachable, requiring no user interaction.

Critical Impact

Remote unauthenticated attackers can trigger denial of service on NetScaler ADC and Gateway appliances by sending malformed HTTP/2 requests when HTTP/2 is enabled on affected virtual servers or services.

Affected Products

  • Citrix NetScaler Application Delivery Controller (ADC)
  • Citrix NetScaler Application Delivery Controller (FIPS and NDcPP editions)
  • Citrix NetScaler Gateway

Discovery Timeline

  • 2026-06-30 - CVE-2026-13474 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-13474

Vulnerability Analysis

The vulnerability resides in the HTTP/2 request-processing path of NetScaler ADC and NetScaler Gateway. When HTTP/2 is enabled in an HTTP Profile bound to an LB, CS, or VPN virtual server, or to a service, the appliance fails to properly release memory allocated during handling of malformed HTTP/2 frames.

Repeated delivery of such frames causes memory resources to accumulate without reclamation. Over time, the affected process exhausts available memory and stops servicing legitimate traffic. Availability of the appliance is affected, while confidentiality and integrity remain unaffected.

Root Cause

The root cause is a memory management defect classified as [CWE-401]. The HTTP/2 parser allocates buffers for incoming request state but does not release them along the error path triggered by malformed frames. Each malformed request leaves residual allocations that persist for the lifetime of the process.

Attack Vector

Exploitation is remote and unauthenticated. An attacker crafts malformed HTTP/2 requests and delivers them to any exposed virtual server or service where HTTP/2 negotiation is enabled. No credentials, no privileges, and no user interaction are required. Repeated requests over the network cause resource exhaustion and eventual denial of service on the affected NetScaler instance.

Because NetScaler ADC and Gateway commonly front business-critical applications, VPN endpoints, and published services, successful exploitation can disrupt access to entire application portfolios.

Detection Methods for CVE-2026-13474

Indicators of Compromise

  • Unexplained growth in memory utilization on NetScaler ADC or Gateway processes handling HTTP/2 traffic.
  • Elevated rates of HTTP/2 protocol errors, RST_STREAM frames, or GOAWAY frames on virtual servers with HTTP/2 enabled.
  • Sudden degradation or unavailability of LB, CS, or VPN virtual servers correlated with inbound HTTP/2 request spikes.
  • Repeated malformed HTTP/2 frames from a small set of source IP addresses in appliance logs.

Detection Strategies

  • Inspect NetScaler newnslog and syslog output for HTTP/2 parsing errors and memory pressure warnings.
  • Baseline HTTP/2 traffic volume per virtual server and alert on statistical deviations in request rate, error rate, or frame types.
  • Correlate availability alerts for LB, CS, and VPN virtual servers with concurrent HTTP/2 error counters.

Monitoring Recommendations

  • Enable and forward NetScaler AppFlow and syslog data to a centralized analytics platform for long-term retention and correlation.
  • Monitor memory and CPU utilization of NetScaler packet engines via SNMP and alert on sustained upward trends.
  • Track HTTP/2 protocol counters exposed by nsconmsg and NetScaler stats commands for anomalies over rolling windows.

How to Mitigate CVE-2026-13474

Immediate Actions Required

  • Identify all NetScaler ADC and NetScaler Gateway instances and inventory HTTP Profiles that have HTTP/2 enabled.
  • Determine which LB, CS, and VPN virtual servers and services are bound to HTTP/2-enabled HTTP Profiles.
  • Apply the fixed NetScaler builds published by Citrix per advisory CTX696604 as soon as change windows allow.
  • Restrict management and data-plane exposure of NetScaler appliances to trusted networks where operationally feasible.

Patch Information

Citrix has published guidance and fixed builds in the vendor advisory Citrix Security Article CTX696604. Administrators should consult the advisory for the specific NetScaler ADC and NetScaler Gateway versions that resolve CVE-2026-13474 and follow Citrix upgrade procedures.

Workarounds

  • Disable HTTP/2 in the HTTP Profile bound to affected virtual servers and services until patched builds can be deployed.
  • Unbind HTTP/2-enabled HTTP Profiles from LB, CS, and VPN virtual servers where HTTP/2 is not strictly required.
  • Place upstream protections such as an HTTP/2-aware reverse proxy or WAF that validates HTTP/2 framing in front of exposed NetScaler virtual servers.
bash
# Configuration example: disable HTTP/2 on an HTTP Profile as a temporary workaround
# Run from the NetScaler CLI
set ns httpProfile <http_profile_name> -http2 DISABLED

# Verify the change
show ns httpProfile <http_profile_name>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.