Description
Denial of service via malformed HTTP/2 requests in NetScaler ADC and NetScaler Gateway if HTTP/2 is enabled in HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
In plain language
AI Low urgencyIf you use NetScaler ADC or NetScaler Gateway with HTTP/2 turned on, a bad HTTP/2 request could knock the service offline; small businesses should patch, especially if your device is internet-facing.
Denial of service in NetScaler ADC/Gateway when malformed HTTP/2 requests are processed while HTTP/2 is enabled in the HTTP Profile and bound to the relevant virtual server/service, potentially exhausting or crashing request handling.
What to do now
- Check whether your NetScaler ADC or NetScaler Gateway has HTTP/2 enabled in the HTTP Profile and is associated with any active load-balancing, content switching, or VPN virtual server/service.
- Verify your current software version on the affected NetScaler device (ADC and/or Gateway).
- Upgrade to a fixed release: for both ADC and Gateway, move to 72.61 or 63.18 or 37.272 (choose the highest available fixed version that fits your environment).
- If you cannot upgrade right away, disable HTTP/2 in the relevant HTTP Profile(s) used by those virtual server/service bindings, then test that client connectivity still works.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:NConfidentialityI:NIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
References
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-13474 and every CVE in our database. Create a free account — no credit card required.
Create Free Account