SB2026063084 - Multiple vulnerabilities in NetScaler ADC and NetScaler Gateway
Published: June 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2026-8451)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the SAML IdP functionality when processing SAML IdP input. A remote attacker can send crafted input to disclose sensitive information.
NetScaler ADC or NetScaler Gateway must be configured as a SAML IdP.
2) Buffer overflow (CVE-ID: CVE-2026-8452)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper restriction of operations within the bounds of a memory buffer in the gateway and AAA virtual server functionality when handling network requests. A remote attacker can send a specially crafted request to cause a denial of service.
The appliance must be configured as a gateway feature or an AAA virtual server.
3) Buffer overflow (CVE-ID: CVE-2026-8655)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper restriction of operations within the bounds of a memory buffer in the Oracle load balancing, DNS proxy, or DNS recursive resolver functionality when handling network requests. A remote attacker can send a specially crafted request to cause a denial of service.
NetScaler ADC must be configured as an Oracle load balancer, a DNS proxy, or a DNS recursive resolver deployment.
4) External Control of File Name or Path (CVE-ID: CVE-2026-10816)
CWE-ID: CWE-73 - External Control of File Name or Path
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to external control of file name or path in the management interface when handling file access requests. A remote attacker can request arbitrary files to disclose sensitive information.
Exploitation requires access to NSIP, Cluster Management IP, or SNIP with management access enabled.
5) Out-of-bounds read (CVE-ID: CVE-2026-10817)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the TCP timestamp handling functionality when processing network traffic. A remote attacker can send crafted network traffic to disclose sensitive information.
TCP TimeStamp must be enabled in a TCP profile associated with a virtual server or configured service.
6) Memory leak (CVE-ID: CVE-2026-13474)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to missing release of memory after effective lifetime in the HTTP/2 request handling functionality when processing malformed HTTP/2 requests. A remote attacker can send malformed HTTP/2 requests to cause a denial of service.
HTTP/2 must be enabled in an HTTP profile associated with a virtual server or configured service.
Remediation
Install update from vendor's website.