The Sequels Are Never As Good, But We're Still In Pain (Citrix NetScaler CVE-2026-3055 Memory Overread)

WatchTowr Labs analyzes CVE-2026-3055, a CVSS 9.3 memory overread vulnerability in Citrix NetScaler ADC and Gateway appliances configured as SAML Identity Providers. The bug stems from insufficient input validation in a C-based XML parser: when a SAML AuthnRequest is submitted without an AssertionConsumerServiceURL, the appliance reads uninitialized heap memory and leaks it back to the attacker via the NSC_TASS cookie. The researchers demonstrate the exploit, show the 0xdeadbeef memory marker in leaked data, and provide a simple detection method — patched appliances return a parsing error while vulnerable ones return the NSC_TASS cookie. Exploitation is probabilistic and noisy (leaves log entries), but in high-traffic production environments the odds of leaking sensitive memory increase significantly. WatchTowr also notes they discovered additional similar vulnerabilities during research, already reported to Citrix PSIRT. Patched versions are available.