CVE-2026-13474 Overview
CVE-2026-13474 is a denial-of-service vulnerability affecting Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. Malformed HTTP/2 requests can exhaust resources on affected appliances, causing service disruption. The flaw is exploitable when HTTP/2 is enabled in the HTTP Profile and associated with a virtual server of type Load Balancing (LB), Content Switching (CS), or VPN, or with a service configured on NetScaler.
The vulnerability is tracked under [CWE-401] (Missing Release of Memory after Effective Lifetime), indicating a memory leak triggered by malformed protocol input. It is unauthenticated and network-reachable, requiring no user interaction.
Critical Impact
Remote unauthenticated attackers can trigger denial of service on NetScaler ADC and Gateway appliances by sending malformed HTTP/2 requests when HTTP/2 is enabled on affected virtual servers or services.
Affected Products
- Citrix NetScaler Application Delivery Controller (ADC)
- Citrix NetScaler Application Delivery Controller (FIPS and NDcPP editions)
- Citrix NetScaler Gateway
Discovery Timeline
- 2026-06-30 - CVE-2026-13474 published to NVD
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-13474
Vulnerability Analysis
The vulnerability resides in the HTTP/2 request-processing path of NetScaler ADC and NetScaler Gateway. When HTTP/2 is enabled in an HTTP Profile bound to an LB, CS, or VPN virtual server, or to a service, the appliance fails to properly release memory allocated during handling of malformed HTTP/2 frames.
Repeated delivery of such frames causes memory resources to accumulate without reclamation. Over time, the affected process exhausts available memory and stops servicing legitimate traffic. Availability of the appliance is affected, while confidentiality and integrity remain unaffected.
Root Cause
The root cause is a memory management defect classified as [CWE-401]. The HTTP/2 parser allocates buffers for incoming request state but does not release them along the error path triggered by malformed frames. Each malformed request leaves residual allocations that persist for the lifetime of the process.
Attack Vector
Exploitation is remote and unauthenticated. An attacker crafts malformed HTTP/2 requests and delivers them to any exposed virtual server or service where HTTP/2 negotiation is enabled. No credentials, no privileges, and no user interaction are required. Repeated requests over the network cause resource exhaustion and eventual denial of service on the affected NetScaler instance.
Because NetScaler ADC and Gateway commonly front business-critical applications, VPN endpoints, and published services, successful exploitation can disrupt access to entire application portfolios.
Detection Methods for CVE-2026-13474
Indicators of Compromise
- Unexplained growth in memory utilization on NetScaler ADC or Gateway processes handling HTTP/2 traffic.
- Elevated rates of HTTP/2 protocol errors, RST_STREAM frames, or GOAWAY frames on virtual servers with HTTP/2 enabled.
- Sudden degradation or unavailability of LB, CS, or VPN virtual servers correlated with inbound HTTP/2 request spikes.
- Repeated malformed HTTP/2 frames from a small set of source IP addresses in appliance logs.
Detection Strategies
- Inspect NetScaler newnslog and syslog output for HTTP/2 parsing errors and memory pressure warnings.
- Baseline HTTP/2 traffic volume per virtual server and alert on statistical deviations in request rate, error rate, or frame types.
- Correlate availability alerts for LB, CS, and VPN virtual servers with concurrent HTTP/2 error counters.
Monitoring Recommendations
- Enable and forward NetScaler AppFlow and syslog data to a centralized analytics platform for long-term retention and correlation.
- Monitor memory and CPU utilization of NetScaler packet engines via SNMP and alert on sustained upward trends.
- Track HTTP/2 protocol counters exposed by nsconmsg and NetScaler stats commands for anomalies over rolling windows.
How to Mitigate CVE-2026-13474
Immediate Actions Required
- Identify all NetScaler ADC and NetScaler Gateway instances and inventory HTTP Profiles that have HTTP/2 enabled.
- Determine which LB, CS, and VPN virtual servers and services are bound to HTTP/2-enabled HTTP Profiles.
- Apply the fixed NetScaler builds published by Citrix per advisory CTX696604 as soon as change windows allow.
- Restrict management and data-plane exposure of NetScaler appliances to trusted networks where operationally feasible.
Patch Information
Citrix has published guidance and fixed builds in the vendor advisory Citrix Security Article CTX696604. Administrators should consult the advisory for the specific NetScaler ADC and NetScaler Gateway versions that resolve CVE-2026-13474 and follow Citrix upgrade procedures.
Workarounds
- Disable HTTP/2 in the HTTP Profile bound to affected virtual servers and services until patched builds can be deployed.
- Unbind HTTP/2-enabled HTTP Profiles from LB, CS, and VPN virtual servers where HTTP/2 is not strictly required.
- Place upstream protections such as an HTTP/2-aware reverse proxy or WAF that validates HTTP/2 framing in front of exposed NetScaler virtual servers.
# Configuration example: disable HTTP/2 on an HTTP Profile as a temporary workaround
# Run from the NetScaler CLI
set ns httpProfile <http_profile_name> -http2 DISABLED
# Verify the change
show ns httpProfile <http_profile_name>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

