CitrixBleed To Infinity And Beyond (Citrix NetScaler Pre-Auth Memory Overread CVE-2026-8451)
A new pre-auth memory overread vulnerability, CVE-2026-8451 (CVSS 8.8), has been disclosed in Citrix NetScaler ADC and Gateway appliances configured as SAML Identity Providers. The flaw resides in the custom XML parser handling SAML AuthnRequest messages, where unquoted attribute values terminated by newlines cause the parser to read beyond the buffer boundaries. This leaked memory, which may include sensitive data or pointers, is returned to the attacker via the NSC_TASS cookie, and the issue can also be triggered to crash the nsppe process.
Detection / Hunteropenrouter
What Happened
Researchers discovered a serious security flaw in Citrix NetScaler networking devices that allows attackers to steal sensitive internal memory without needing a password. This affects organizations using these devices for remote access when configured to handle SAML logins. The vulnerability matters because attackers could use the stolen memory to help further compromise the device or simply crash it, causing a network outage. Organizations using affected Citrix NetScaler devices should update their software to the latest patched versions immediately.
Key Takeaways
- CVE-2026-8451 is a pre-auth memory overread vulnerability in Citrix NetScaler ADC and Gateway appliances configured as a SAML Identity Provider (IDP).
- The vulnerability stems from a flawed XML parser that fails to properly terminate unquoted attribute values when a newline is used, allowing the parser to read beyond the input buffer.
- Attackers can leak arbitrary memory, including binary data and pointers, which is returned to the attacker in the NSC_TASS cookie, potentially aiding further exploitation.
- A simple malformed request can crash the nsppe process, resulting in a Denial of Service condition.
- Affected versions include NetScaler ADC/Gateway 14.1 before 14.1-72.61 and 13.1 before 13.1-63.18, among other FIPS/NDcPP versions.
Affected Systems
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-72.61
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-63.18
- NetScaler ADC FIPS before 14.1-72.61 FIPS
- NetScaler ADC FIPS and NDcPP before 13.1-37.272
Vulnerabilities (CVEs)
- CVE-2026-8451 (CVSS 8.8) - Insufficient input validation leading to memory overread when configured as a SAML IDP
Attack Chain
The attacker sends a specially crafted HTTP POST request to the /saml/login endpoint of a vulnerable NetScaler configured as a SAML IDP. The request contains a base64-encoded SAML AuthnRequest with unquoted attribute values terminated by newlines and an unclosed AuthnRequest tag. Due to insufficient input validation in the XML parser, the appliance reads past the end of the XML buffer into adjacent memory. The leaked memory data is then returned to the attacker embedded within the NSC_TASS cookie in the HTTP response. Alternatively, a minimal malformed request can trigger a crash in the nsppe process, leading to a denial of service.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article mentions a Detection Artefact Generator script available on their GitHub, but does not provide specific detection rules (YARA, Sigma, etc.) within the text.
Detection Engineering Assessment
EDR Visibility: Low — EDR agents are generally not installed on Citrix NetScaler appliances; visibility relies on network traffic analysis and appliance logs. Network Visibility: High — The attack occurs over HTTP/HTTPS to the /saml/login endpoint, which can be inspected by network security monitoring tools if SSL is terminated or inspected. Detection Difficulty: Moderate — Detecting the specific malformed SAML request requires inspecting base64-decoded POST body content for unquoted attributes and newlines, which may not be standard in all SIEM setups. Detecting the crash via ns.log is easier.
Required Log Sources
- NetScaler /var/log/ns.log
- Web Proxy/Load Balancer logs
- NetScaler HTTP request logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Hunt for HTTP POST requests to /saml/login containing base64-encoded SAML requests that, when decoded, contain unquoted attribute values terminated by newlines. | Web proxy logs, WAF logs, or full packet capture | Initial Access | Low - legitimate SAML requests typically use quoted attributes. |
| Hunt for NSC_TASS cookies in HTTP responses that contain unusually long or binary data, indicating memory overread. | Web proxy logs or WAF logs | Exfiltration | Low - standard cookies should not contain raw binary memory patterns. |
| Hunt for nsppe process crashes or restarts in NetScaler logs, specifically looking for signal 6 or core dumps. | NetScaler /var/log/ns.log | Impact | Medium - crashes can occur due to other hardware or software issues, but sudden repeated crashes are suspicious. |
Control Gaps
- WAF rules may not inspect the decoded contents of SAMLRequest parameters for malformed XML attributes.
- Lack of monitoring for NetScaler process crashes and core dumps as a potential indicator of exploitation.
Key Behavioral Indicators
- HTTP POST to /saml/login with base64 payload containing unquoted XML attributes
- Presence of newline characters (0x0A) within decoded SAMLRequest XML attribute values
- NSC_TASS cookie containing non-ASCII or binary data
- nsppe process exiting with signal 6 (core dumped)
False Positive Assessment
- Low - The specific malformed SAML request pattern (unquoted attributes with newlines) is highly unlikely in legitimate traffic. Process crashes could have other causes but should be investigated in conjunction with request patterns.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Patch affected NetScaler ADC and Gateway appliances to the fixed versions (14.1-72.61, 13.1-63.18, etc.) immediately.
- If patching is delayed, consider temporarily disabling SAML IDP functionality if business impact is acceptable.
Infrastructure Hardening
- Evaluate whether your WAF or load balancer can be configured to inspect and block malformed SAML requests containing unquoted attributes or newlines in attribute values.
- Ensure NetScaler management interfaces and gateways are not exposed to the public internet unnecessarily.
User Protection
- Monitor for unusual authentication failures or session resets that might indicate exploitation attempts.
- Consider forcing re-authentication for active sessions after patching to invalidate any potentially leaked session data.
Security Awareness
- Inform security operations teams about the indicators of compromise associated with this vulnerability, specifically malformed SAML requests and nsppe crashes.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1499 - Endpoint Denial of Service