CVE-2026-4368
Race condition vulnerability (CWE-362) in Citrix NetScaler ADC and NetScaler Gateway when configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Under specific timing conditions during concurrent user authentication, the race condition causes one user's authenticated session context to be incorrectly associated with another user, enabling session hijacking and unauthorized access to another user's resources. Disclosed alongside CVE-2026-3055 (pre-auth memory overread, CVSS 9.3) in Citrix security bulletin CTX696300 on March 23, 2026. Only affects build 14.1-66.54 specifically and requires low privileges and precise timing to exploit. Part of the CitrixBleed vulnerability family — predecessors CVE-2023-4966 and CVE-2025-5777 saw rapid weaponization by ransomware groups including LockBit and APT Salt Typhoon. Shadowserver reports over 30,000 NetScaler ADC instances exposed to the internet. Patched in versions 14.1-66.59, 13.1-62.23, and 13.1-37.262 (FIPS/NDcPP). Cloud-managed instances are not affected.
Weaknesses (CWE)
CWE-362
Threats tracking this CVE
- CVE-2026-3055 & CVE-2026-4368: Citrix NetScaler ADC/Gateway Unauthenticated Memory Disclosure and Session Hijacking — CRITICAL
- CVE-2026-3055 & CVE-2026-4368: Citrix NetScaler ADC/Gateway Pre-Auth Memory Overread and Session Mixup — CRITICAL
References
- https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog