
CitrixBleed 3
CVE-2026-3055: unauthenticated memory overread in NetScaler SAML IdP path, CVSS 9.3; third critical memory bug in Citrix NetScaler in 30 months.
Last refreshed: 30 April 2026 · Appears in 1 active topic
Why does Citrix NetScaler keep getting the same kind of critical memory bug?
Timeline for CitrixBleed 3
Listed in KEV with 9 May federal remediation deadline
Cybersecurity: Threats and Defences: CISA deadline for PAN-OS RCE lands four days earlyMentioned in: cPanel zero-day ran 65 days before patch; Sorry ransomware active
Cybersecurity: Threats and DefencesMentioned in: CISA gives Cisco SD-WAN three days to patch
Cybersecurity: Threats and DefencesMentioned in: CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed
Cybersecurity: Threats and DefencesMentioned in: Trump proposes $707m CISA cut, 860 jobs
Cybersecurity: Threats and DefencesWhat is CitrixBleed 3 and how dangerous is it?
Is Citrix fixing the root cause of its repeated memory bugs?
What is the difference between CVE-2026-3055 and CVE-2026-4368?
Background
CitrixBleed 3 is an unauthenticated memory overread cluster in NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider. The original CVE-2026-3055, scored CVSS v4.0 9.3, was disclosed by Citrix on 23 March 2026 and exploits a crafted SAMLRequest to the `/saml/login` endpoint. CISA added it to the Known Exploited Vulnerabilities catalogue on 28 March with a federal remediation Deadline of 2 April. WatchTowr confirmed active reconnaissance before mass exploitation. The NCSC issued an advisory on 25 March. A second CVE — CVE-2026-4368 — was disclosed alongside the patch: a distinct memory-overread primitive at the `/wsfed/passive` endpoint, widening the attack surface beyond the SAML PATH. Both CVEs were patched in the same release, but the dual-CVE structure confirms the memory management issue spans multiple authentication endpoints.
The attack PATH follows the same structural pattern as 2023's CitrixBleed (CVE-2023-4966): a crafted request omitting a required field causes the appliance to leak memory via the `NSC_TASS` cookie. The 2023 CitrixBleed was exploited by LockBit and multiple APT groups. CitrixBleed 2 followed in 2024. Three critical memory-disclosure vulnerabilities with the same structural pattern in 30 months, now spanning two distinct endpoints, points to a shared root cause in NetScaler's authentication-PATH memory management rather than isolated bugs.
For enterprises running NetScaler as their SAML broker for single sign-on, CitrixBleed 3 is a third iteration of the same risk: a crafted request to an authentication endpoint can expose session tokens that allow attackers to bypass authentication entirely. The risk calculus is no longer just patching CVE-2026-3055 and CVE-2026-4368; it is whether NetScaler should remain the SAML broker for an estate's entire authentication chain.