What happened

CISA added CVE-2026-3055 to the Known Exploited Vulnerabilities (KEV) catalog, signaling confirmed in-the-wild exploitation and a rapid remediation deadline CISA KEV. The KEV entry sets the date added to 2026-03-30 and a remediation due date of 2026-04-02 for impacted federal agencies CISA KEV. The vulnerability is an out-of-bounds read in Citrix NetScaler when configured as a SAML Identity Provider (IdP), leading to a memory overread condition NVD: CVE-2026-3055.

Affected products include NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway), and NetScaler ADC FIPS/NDcPP variants as described in the publicly available records for CVE-2026-3055 NVD: CVE-2026-3055. The CVE registration confirms the identifier and maps the flaw to a memory safety category relevant to out-of-bounds access MITRE: CVE-2026-3055.

Why it matters

Placement in CISA’s KEV means exploitation has been observed and federal programs are compelled to act on a tight timeline, which typically precedes broader, automated replication by opportunistic actors CISA KEV. The weakness is a classic out-of-bounds read (CWE-125), a class that enables an attacker to read memory outside the intended buffer and potentially access sensitive data held in adjacent regions NVD: CVE-2026-3055. Because the flaw is gated by a SAML IdP configuration, organizations using NetScaler to issue identity assertions sit at a critical trust boundary where information leakage can have outsized blast radius across dependent services NVD: CVE-2026-3055.

Even without remote code execution, memory disclosure weaknesses can materially aid post-exploitation and lateral movement by exposing runtime data that should remain opaque, and CISA’s escalation to KEV indicates actors are already turning this condition into operational access CISA KEV.

Technical detail

CVE-2026-3055 is categorized as an out-of-bounds read, which occurs when code reads data past the bounds of an allocated buffer due to improper index, length, or boundary checks (CWE-125) NVD: CVE-2026-3055. The practical result in this case is a memory overread in NetScaler when the device is configured as a SAML IdP, indicating the vulnerable execution path is tied to SAML processing on the appliance NVD: CVE-2026-3055. The registered CVE entry documents the identifier and confirms the vulnerability class and affected product family MITRE: CVE-2026-3055.

Because the flaw is specifically bound to the SAML IdP role, exposure depends on whether NetScaler is tasked with issuing SAML assertions, which is a common deployment pattern for federated access NVD: CVE-2026-3055. Out-of-bounds reads commonly lead to unintended information disclosure at read time rather than memory corruption, aligning with the “memory overread” impact noted for this CVE NVD: CVE-2026-3055.

The KEV designation compresses timelines: agencies are expected to remediate or apply mitigations aligned to Binding Operational Directive guidance immediately upon listing CISA KEV.

Defense

• Treat this as an active exploitation risk and execute CISA’s required actions: apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable CISA KEV.
• Rapidly inventory NetScaler instances configured as SAML IdP, since the vulnerable path is tied to that role per the CVE description NVD: CVE-2026-3055.
• Prioritize devices at identity boundaries and any externally reachable SAML IdP endpoints, as those align with the impacted feature per the CVE notes NVD: CVE-2026-3055.
• Use the KEV due date (2026-04-02) as a hard internal service-level objective to drive change windows and emergency maintenance CISA KEV.
• Track authoritative records for updates on scope and remediation as they are published in the CVE and NVD entries MITRE: CVE-2026-3055 and NVD: CVE-2026-3055.

Lyrie Verdict

CVE-2026-3055 sits in the identity plane and is already in CISA’s KEV, which we treat as an active exploitation signal for autonomous response CISA KEV. Lyrie instruments NetScaler-facing telemetry to detect abnormal SAML IdP request patterns and memory-disclosure indicators associated with out-of-bounds reads mapped to CWE-125 for this CVE NVD: CVE-2026-3055. We auto-prioritize assets flagged as SAML IdP per the CVE scoping and escalate at machine speed until mitigations aligned to the KEV directive are verified in place MITRE: CVE-2026-3055.