2026-003: Multiple Vulnerabilities in Citrix NetScaler and Citrix ADC

On 23 March 2026 Citrix published an advisory for NetScaler ADC and NetScaler Gateway addressing two vulnerabilities—CVE-2026-3055 (out-of-bounds read, CVSS 9.3) and CVE-2026-4368 (race condition, CVSS 7.7)—which can lead to memory information disclosure and user session mix-up; no public exploitation has been observed and CERT-EU recommends prioritising patching of internet-facing appliances, applying network-level access controls and GDL mitigations, preserving snapshots for investigation, and terminating sessions after patching.