CVE-2026-3055: NetScaler Memory Overread (SAML IdP)

Danger

KEV Alert (Active Exploitation): CVE-2026-3055 (CVSS 9.4) is a critical memory disclosure vulnerability actively exploited in the wild since late March 2026. Reminiscent of the infamous “Citrix Bleed” (CVE-2023-4966), this vulnerability allows unauthenticated attackers to extract raw heap memory from the NetScaler appliance, leading to the immediate theft of administrative and user session tokens. Immediate patching and session revocation are mandatory.

1. Executive Summary

NetScaler ADC and NetScaler Gateway appliances configured as a SAML Identity Provider (IdP) or leveraging WS-Federation are vulnerable to a severe out-of-bounds memory read (CWE-125).

As documented by WatchTowr Labs and Hadrian, the vulnerability is triggered via a maliciously crafted HTTP GET request targeting specific authentication endpoints. By exploiting a parsing flaw in the query string, attackers can force the appliance to leak up to 65KB of contiguous heap memory. This leaked memory frequently contains highly sensitive, active NSSESSIONID tokens, allowing threat actors to bypass MFA and hijack existing VPN or administrative sessions.

2. Technical Vulnerability Analysis

The core of the vulnerability resides within the NetScaler Packet Processing Engine (nsppe), the highly optimized, proprietary user-space daemon responsible for handling TCP/HTTP traffic on the appliance.

The Pointer Arithmetic Flaw

When a NetScaler appliance is configured as an IdP, it exposes endpoints such as /saml/login and /wsfed/passive. These endpoints expect a context parameter, typically wctx, which is used to maintain state during the authentication redirect flow.

The nsppe C-code parser expects the query string to follow standard key-value formatting (e.g., ?wctx=ContextData). However, a critical flaw exists in the bounds-checking logic when the = delimiter is intentionally omitted (i.e., ?wctx followed immediately by the end of the string or an ampersand &).

According to WatchTowr’s binary analysis:

1. The parser searches for the wctx string.
2. It attempts to locate the = character to calculate the length of the payload.
3. When = is missing, the memory pointer calculation fails, resulting in an integer underflow or a completely miscalculated length parameter.
4. The system subsequently allocates a buffer and performs a memcpy() using this massive, corrupted length value, effectively copying adjacent chunks of the nsppe heap memory into the response buffer.

The NSC_TASS Leak Mechanism

The overread memory is not simply dumped into the HTML body; it is seamlessly Base64-encoded and returned to the attacker within the NSC_TASS (Telemetry/Assertion State) HTTP cookie in the 302 Redirect response. The attacker simply decodes the cookie to view the raw memory dump.

3. Exploitation Flow and Heap Grooming

Exploiting CVE-2026-3055 is dangerously trivial, requiring no prior authentication. Advanced threat actors utilize “Heap Grooming” to ensure the leaked memory contains high-value targets rather than junk data.

1. Target Identification: The attacker identifies a NetScaler appliance with SAML IdP enabled (often verifiable via the presence of specific login portals).
2. Heap Spraying (Optional but likely): The attacker may send numerous legitimate authentication requests to force the allocation of AAA (Authentication, Authorization, and Auditing) session tokens into predictable heap regions.
3. Triggering the Bug: The attacker sends the malformed GET request: GET /wsfed/passive?wctx HTTP/1.1.
4. Data Extraction: The appliance responds with an abnormally large Set-Cookie: NSC_TASS=[Base64_String].
5. Session Hijacking: The attacker decodes the Base64 string, parses the raw memory dump for strings matching NSSESSIONID=, and injects this stolen cookie into their own browser to bypass authentication.

4. Forensic Investigation (DFIR)

Because the payload targets the nsppe daemon directly and the appliance operates as a black-box, traditional host-based forensics are limited. Incident Responders must rely heavily on network telemetry and appliance logs.

Appliance Logs (ns.log)

Examine /var/log/ns.log for HTTP requests targeting /saml/login or /wsfed/passive. Crucial Note: Depending on the logging configuration, NetScaler may strip malformed query parameters, making the absence of = difficult to spot natively.

WAF & Reverse Proxy Logs

If the NetScaler sits behind a WAF or a CDN (like Cloudflare), query those edge logs. Look for requests where the URI contains wctx at the very end of the string, or immediately followed by & (e.g., wctx&otherparam=1).

Hunting for the Post-Exploitation Phase (Session Hijacking)

Finding the exploit attempt is only step one. DFIR analysts must determine if sessions were successfully hijacked.

• Look for “Impossible Travel” anomalies in your AAA logs.
• Identify scenarios where a single NSSESSIONID is suddenly used by a radically different Source IP address or User-Agent without a corresponding new login event.

5. Detection & Threat Hunting

Deploy the following rules to identify exploitation attempts against the wctx parameter.

Sigma Rule (Web Logs)

sigma_netscaler_cve_2026_3055.yaml

title: NetScaler Memory Overread Exploitation Attempt (CVE-2026-3055)
id: 52945a0b-1912-4214-9844-3240e8e41255
status: experimental
description: Detects malformed HTTP GET requests targeting SAML/WS-Fed endpoints on Citrix NetScaler, specifically looking for the wctx parameter without a value assignment, indicative of CVE-2026-3055.
logsource:
    category: webserver
detection:
    selection_endpoints:
        c-uri|contains:
            - '/saml/login'
            - '/wsfed/passive'
    selection_payload:
        # Matches wctx at the end of the URL or followed directly by another parameter
        cs-uri-query|re: '(?i)(^|&)wctx(&|$)'
    condition: selection_endpoints and selection_payload
level: critical
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2026-3055

Splunk / KQL (Edge Logs)

hunt_netscaler_wctx_abuse.spl

# Splunk query for identifying the malformed query string in edge logs
index=web_logs (uri_path="/saml/login" OR uri_path="/wsfed/passive")
| regex query_string="(?i)(^|&)wctx(&|$)"
| stats count, values(http_user_agent) by src_ip, uri_path, query_string
| where count > 1
| sort - count

6. Mitigation and Remediation

Patching the appliance alone is insufficient to secure the environment if it has been exposed. Because this vulnerability leaks active session tokens, attackers can maintain persistent access even after the firmware is updated.

1. Firmware Update: Immediately upgrade all NetScaler ADC and Gateway appliances to the patched builds provided by the vendor.
2. Session Revocation (CRITICAL): You must actively terminate all current sessions. Issue the following command via the NetScaler CLI: kill aaa session all. This forces all users (and any lurking attackers) to re-authenticate, rendering any stolen NSSESSIONID tokens useless.
3. Secret Rotation: Because the memory overread can leak anything residing in the nsppe heap, it is highly recommended to rotate SAML signing certificates, LDAP bind passwords, and associated RADIUS shared secrets configured on the appliance.

---

Sources & References

• WatchTowr Labs: Citrix NetScaler CVE-2026-3055 Memory Overread - Part 1
• WatchTowr Labs: Citrix NetScaler CVE-2026-3055 Memory Overread - Part 2
• Hadrian: Citrix NetScaler ADC Gateway Memory Overread (CVE-2026-3055)
• Penligent Labs: CVE-2026-3055 and the NetScaler Identity Edge