CVE-2026-13474

NetScaler · ADC and Gateway

A denial of service vulnerability exists in NetScaler ADC and Gateway due to improper handling of malformed HTTP/2 requests when HTTP/2 is enabled.

Executive summary

NetScaler ADC and Gateway are vulnerable to a denial of service attack that can be triggered by sending specifically crafted HTTP/2 requests to a configured virtual server.

Vulnerability

This vulnerability involves a flaw in how the system processes HTTP/2 traffic. An unauthenticated attacker can crash the affected service by sending malformed HTTP/2 requests to an endpoint where the protocol is enabled.

Business impact

The exploitation of this vulnerability results in service unavailability, leading to significant operational disruption for organizations relying on NetScaler for load balancing and VPN connectivity. With a CVSS score of 8.7, the high severity reflects the ease of triggering this denial of service, potentially impacting business continuity and user access to critical applications.

Remediation

Immediate Action: Identify all instances where HTTP/2 is enabled on virtual servers and apply the latest security patches provided by NetScaler.

Proactive Monitoring: Monitor system logs for repeated connection failures or unexpected service restarts, which may indicate attempted exploitation.

Compensating Controls: Consider disabling HTTP/2 on affected virtual servers as a temporary measure if a patch cannot be immediately deployed.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the potential for complete service disruption, administrators must prioritize the assessment of their NetScaler deployments. Applying vendor-supplied patches is the only definitive way to remediate this vulnerability and restore the integrity of the affected services.