CitrixBleed 3 (CVE-2026-3055): Critical Risk for SAMA Banks

CVE-2026-3055 — already nicknamed "CitrixBleed 3" by the research community — turns a missing input check on the NetScaler SAML endpoint into a remote memory leak. With a CVSS of 9.3, active exploitation confirmed by CISA, and a public Metasploit module, this is now a board-level issue for any SAMA-regulated bank running NetScaler ADC or Gateway as a SAML Identity Provider.

Inside CVE-2026-3055: A Trivial Request, A Devastating Leak

Disclosed by Citrix on 23 March 2026, CVE-2026-3055 is an out-of-bounds read in the SAML Identity Provider (IdP) code path of NetScaler ADC and NetScaler Gateway. The flaw lies in how the appliance parses the wctx query string parameter: when the parameter is present without an = sign and without a value, the appliance still accesses the buffer it expects to be populated. The result is fragments of process memory streamed back to the unauthenticated attacker through the NSC_TASS cookie.

Researchers at watchTowr, Horizon3, and Picus Security have shown that crafted SAMLRequest payloads sent to /saml/login with a missing AssertionConsumerServiceURL trigger the same primitive on a second endpoint, giving attackers two reliable read gadgets. Each request returns a small but non-deterministic slice of memory — a "slot machine" pattern that yields session tokens, HTTP headers, and SAML assertions of currently authenticated users when repeated at scale.

Why This Vulnerability Is Worse Than CitrixBleed 1 and 2

NetScaler appliances sit at the edge of nearly every bank's remote-access stack, fronting Citrix Virtual Apps, internal banking portals, and federated cloud apps. Memory-disclosure bugs in this class of device do not just leak data — they leak active session state. Once an attacker captures a valid NSC_AAAC or SAML token, they bypass authentication entirely, including modern MFA and conditional access. CISA added CVE-2026-3055 to its Known Exploited Vulnerabilities catalog on 30 March 2026, and Darktrace has observed pre-CVE exploitation telemetry against banking-sector NetScalers in EMEA.

Affected versions are NetScaler ADC and NetScaler Gateway 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23. Only appliances explicitly configured as SAML IdP are exploitable — but in Saudi banking environments, that configuration is the norm rather than the exception, because SAML federation is how most institutions integrate with Microsoft Entra ID, Salesforce, and core banking SaaS.

Impact on SAMA-Regulated Financial Institutions

The SAMA Cyber Security Framework (CSCC) treats remote-access infrastructure as a Tier-1 control surface. CVE-2026-3055 directly threatens compliance with multiple control areas: 3.3.5 (Identity and Access Management), 3.3.10 (Cryptography), 3.3.13 (Cyber Security Event Management), and 3.3.14 (Cyber Security Incident Management). A single unpatched NetScaler can lead to session hijacking against the SWIFT operator workstation, the SADAD payment gateway portal, or the bank's privileged access workstation farm — each of which would qualify as a reportable incident under SAMA's 2-hour notification timeline.

The NCA Essential Cybersecurity Controls (ECC-1:2018) overlap here as well: Subdomain 2-3 (Network Security) requires that internet-facing systems be patched within risk-based timeframes, and Subdomain 2-12 (Cybersecurity Event Logs and Monitoring) mandates detection of anomalous authentication events. Banks operating under PCI-DSS v4.0 must additionally treat any session-token leak from NetScaler as an in-scope cardholder data environment exposure if NetScaler fronts the e-commerce or card-management UI.

Recommended Actions and Practical Steps

1. Upgrade NetScaler ADC and Gateway to 14.1-66.59, 13.1-62.23, or later. There is no workaround that removes the read primitive; only the patched binary changes the parameter validation logic.
2. Immediately invalidate all active sessions after patching. Run kill aaa session -all and force re-authentication; assume any session tokens issued before patching are compromised.
3. Rotate SAML signing certificates and IdP secrets, and review the SAML metadata trust store on every relying party (Entra ID, Okta, Salesforce, banking SaaS).
4. Hunt for indicators of exploitation: HTTP requests to /saml/login or /cgi/samlauth containing wctx without a value, repeated NSC_TASS cookie responses, and unusual outbound TLS to attacker-controlled IPs flagged by SOCRadar and watchTowr.
5. Deploy or tune a WAF rule (Imperva, F5 ASM, Akamai) to drop SAML requests with malformed wctx parameters. Treat this as a defense-in-depth layer, not a substitute for patching.
6. Update the bank's vulnerability management SLA and report status to the SAMA Cyber Security Committee within the timeline mandated by CSCC 3.3.6.
7. Engage a third-party assessor — such as Fyntralink — to validate that the patch was applied across all clustered NetScaler nodes, including DR and active-active pairs that operations teams sometimes miss.

Conclusion

CitrixBleed 3 is not just another CVE on the catalog — it is a reminder that the edge of the bank is now the front line of compliance. Patching is mandatory, but rotating sessions, hunting for prior compromise, and documenting the response for SAMA audit packages is what separates a clean closure from a finding that follows the CISO into next year's report.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on edge-device exposure and session-hijack readiness.