SecurityWeek ·EN-US News source Patch releasedNetScaler ADCNetScaler Gateway
Citrix Patches NetScaler Vulnerabilities, Including New ‘HTTP/2 Bomb’ Attack
CVE Tools coverage
Citrix has released new security updates for NetScaler ADC and NetScaler Gateway that address six vulnerabilities, including the recently publicized HTTP/2 Bomb denial-of-service flaw. Affected CVEs include CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816 (memory corruption and arbitrary file read issues), plus CVE-2026-49975 (an out-of-bounds read) and CVE-2026-13474 for the NetScaler-specific HTTP/2 Bomb behavior that can knock Apache HTTP Server offline. These issues matter because exploitation could enable service disruption and, for some bugs, memory-related data exposure; upgrade to the fixed NetScaler versions as indicated by Citrix and verify whether your configuration enables the vulnerable components.