Skip to main content

NetScaler ADC CVE-2026-10817

| EUVDEUVD-2026-40317 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-30 50a63c94-1ea7-4568-8c11-eb79e7c5a2b5 GHSA-jmh3-rwcx-284r
6.9
CVSS 4.0 · Vendor: 50a63c94-1ea7-4568-8c11-eb79e7c5a2b5
Share

Severity by source

Vendor (50a63c94-1ea7-4568-8c11-eb79e7c5a2b5) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ENISA EUVD
HIGH
qualitative
vuln.today AI
3.7 LOW

AC:H because exploitation requires TCP TimeStamp explicitly enabled and bound to a virtual server - a non-default configuration beyond the attacker's control; confidentiality impact only.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (50a63c94-1ea7-4568-8c11-eb79e7c5a2b5).

CVSS VectorVendor: 50a63c94-1ea7-4568-8c11-eb79e7c5a2b5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 30, 2026 - 15:01 EUVD
Analysis Generated
Jun 30, 2026 - 13:31 vuln.today

DescriptionCVE.org

Insufficient input validation leading to memory overread in NetScaler ADC and NetScaler Gateway if the TCP TimeStamp is enabled in TCP Profile and is associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler

AnalysisAI

Memory overread in Citrix NetScaler ADC and NetScaler Gateway exposes low-confidence partial memory contents to unauthenticated remote attackers when TCP TimeStamp processing is triggered against a misconfigured or specifically configured TCP Profile. The vulnerability is rooted in insufficient input validation (CWE-125) within the TCP TimeStamp handling code path, affecting virtual servers of type Load Balancer, Content Switching, and VPN, as well as configured services. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-exposed NetScaler endpoint
Delivery
Send crafted TCP segment with malformed TimeStamp option
Exploit
Trigger insufficient bounds check in TCP Profile handler
Execution
Out-of-bounds read leaks adjacent process memory
Impact
Attacker receives partial memory disclosure in TCP response

Vulnerability AssessmentAI

Exploitation Exploitation requires two explicit conditions to be simultaneously true on the target NetScaler: (1) TCP TimeStamp must be enabled within a TCP Profile object - this is an explicit configuration choice, not a default - and (2) that TCP Profile must be bound to a virtual server of type Load Balancer, Content Switching, or VPN, OR to a service configured on the NetScaler. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.0 score of 6.9 with vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N reflects a network-accessible, unauthenticated attack with low confidentiality impact and no integrity or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker sends a crafted TCP segment containing a malformed or boundary-violating TCP TimeStamp option to an internet-exposed NetScaler virtual server (LB, CS, or VPN type) that has a TCP Profile with TimeStamp enabled. The insufficient input validation triggers an out-of-bounds read in the NetScaler TCP processing stack, causing the appliance to return memory contents adjacent to the intended buffer - potentially leaking fragments of in-memory data such as session state, connection metadata, or other process memory. …
Remediation The primary remediation is to apply the patch released by Citrix as documented in advisory CTX696604 (https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604); the exact fixed version number is not confirmed in the available intelligence data and must be obtained directly from the Citrix advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-5777 HIGH POC
7.5 Jun 17

Citrix NetScaler ADC and Gateway contain an input validation vulnerability (CVE-2025-5777, CVSS 7.5) leading to memory o

CVE-2025-6543 CRITICAL POC
9.8 Jun 25

Citrix NetScaler ADC and Gateway contain a memory overflow vulnerability (CVE-2025-6543, CVSS 9.8) leading to unintended

CVE-2026-8451 HIGH POC
8.8 Jun 30

Memory overread in Citrix NetScaler ADC and NetScaler Gateway lets remote attackers read out-of-bounds memory when the a

CVE-2025-5349 HIGH POC
8.8 Jun 17

Improper access control vulnerability in NetScaler ADC and NetScaler Gateway management interfaces that allows unauthent

CVE-2023-4967 HIGH POC
7.5 Oct 27

Denial of Service in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CV

CVE-2014-2881 CRITICAL
10.0 May 01

Unspecified vulnerability in the Diffie-Hellman key agreement implementation in the management GUI Java applet in Citrix

CVE-2014-2882 CRITICAL
10.0 May 01

Unspecified vulnerability in the management GUI in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler

CVE-2026-8452 HIGH
8.8 Jun 30

Denial of service and memory corruption in Citrix NetScaler ADC and NetScaler Gateway allows remote unauthenticated atta

CVE-2026-8655 HIGH
8.8 Jun 30

Denial of service in Citrix NetScaler ADC and NetScaler Gateway stems from multiple memory overflow conditions that prod

CVE-2026-13474 HIGH
8.7 Jun 30

Denial of service in Citrix NetScaler ADC and NetScaler Gateway allows remote attackers to crash or render unresponsive

CVE-2024-8534 HIGH
8.4 Nov 12

Memory safety vulnerability leading to memory corruption and Denial of Service in NetScaler ADC and Gateway if the appli

CVE-2026-10816 HIGH
7.1 Jun 30

Arbitrary file read in Citrix NetScaler ADC and NetScaler Gateway lets unauthenticated attackers on an adjacent network

Share

CVE-2026-10817 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy