CVE-2026-8655 Overview
CVE-2026-8655 describes multiple memory overflow vulnerabilities in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. The flaws produce unpredictable or erroneous behavior and enable Denial of Service against affected appliances. The vulnerabilities are exposed when NetScaler ADC is configured as a load balancer of type Oracle, as a DNS Proxy, or as a DNS recursive resolver. Attackers can reach the vulnerable code paths over the network without authentication or user interaction. The underlying weakness is classified as [CWE-119], improper restriction of operations within the bounds of a memory buffer.
Critical Impact
Unauthenticated network attackers can trigger memory corruption in NetScaler ADC and Gateway to induce Denial of Service in Oracle load balancing and DNS proxy or recursive resolver deployments.
Affected Products
- Citrix NetScaler Application Delivery Controller (including FIPS and NDcPP builds)
- Citrix NetScaler Application Delivery Controller 14.1-66.68 FIPS
- Citrix NetScaler Gateway
Discovery Timeline
- 2026-06-30 - CVE-2026-8655 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-8655
Vulnerability Analysis
The advisory documents multiple memory overflow conditions in NetScaler ADC and NetScaler Gateway. The flaws affect execution paths tied to specific service configurations rather than the base platform alone. When the appliance parses or forwards protocol data in these deployments, malformed inputs exceed allocated buffer bounds. The result is memory corruption that destabilizes worker processes and interrupts traffic handling. Successful exploitation requires no credentials and no user interaction.
Root Cause
The root cause is improper restriction of operations within the bounds of a memory buffer [CWE-119]. Input handling routines associated with Oracle load balancing traffic and DNS proxy or recursive resolver logic do not validate size or structure before writing to fixed buffers. Boundary checks are missing or incorrect, allowing crafted network payloads to overflow adjacent memory regions.
Attack Vector
Exploitation is remote over the network. An attacker sends specially crafted traffic to a NetScaler appliance configured with one of the vulnerable service profiles: a virtual server load balancing Oracle backends, a DNS Proxy, or a DNS recursive resolver. The malformed request drives the process into an out-of-bounds write, corrupting state and causing the service to enter an erroneous state or terminate.
No public proof-of-concept exploit code is available for CVE-2026-8655. Refer to the Citrix Knowledge Base Article CTX696604 for vendor technical details.
Detection Methods for CVE-2026-8655
Indicators of Compromise
- Unexpected restarts or crashes of NetScaler packet engines or nsppe processes on appliances hosting Oracle load balancers or DNS services.
- Sudden loss of DNS resolution responses from NetScaler DNS Proxy or recursive resolver virtual servers.
- Abnormal spikes in malformed DNS queries or Oracle TNS traffic directed at NetScaler VIPs.
Detection Strategies
- Inventory all NetScaler ADC and Gateway instances and flag those running LB vservers of type ORACLE, DNS Proxy, or DNS recursive resolver configurations.
- Correlate appliance crash logs and core dumps with inbound traffic samples targeting affected virtual servers.
- Deploy IDS or IPS signatures for malformed DNS and Oracle protocol payloads directed at NetScaler management and data plane IPs.
Monitoring Recommendations
- Forward NetScaler newnslog, ns.log, and SNMP trap data to a centralized log platform for continuous review.
- Alert on repeated service restarts, high-availability failovers, or health-monitor state changes on Oracle LB and DNS vservers.
- Track baseline query volumes to DNS vservers and alert on sustained deviations that may signal exploitation attempts.
How to Mitigate CVE-2026-8655
Immediate Actions Required
- Apply the fixed NetScaler ADC and NetScaler Gateway builds identified in the Citrix advisory as soon as they are validated in a maintenance window.
- Restrict network exposure of NetScaler management and DNS interfaces to trusted sources until patches are deployed.
- Audit configurations for LB vservers of type ORACLE and any DNS_PROXY or DNS recursive resolver services and disable those not in production use.
Patch Information
Citrix has published guidance and fixed versions in Citrix Knowledge Base Article CTX696604. Administrators should identify their current firmware build, including FIPS and NDcPP variants, and upgrade to the vendor-designated remediated release. Version 14.1-66.68 FIPS is explicitly listed among affected builds and requires upgrade.
Workarounds
- Temporarily remove or disable Oracle-type LB virtual servers where the service is not business critical.
- Where feasible, replace NetScaler DNS Proxy or recursive resolver functionality with hardened upstream DNS infrastructure until patching completes.
- Enforce ACLs on the NetScaler NSIP, SNIP, and DNS VIPs so that only authorized client networks can reach the affected services.
# Configuration example: restrict access to DNS vserver using an ACL
add ns acl restrict_dns_vip DENY -destIP = 10.10.10.50 -destPort = 53 -protocol UDP
add ns acl allow_trusted_dns ALLOW -srcIP = 192.168.100.0-192.168.100.255 -destIP = 10.10.10.50 -destPort = 53 -protocol UDP
apply ns acls
save ns config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

