CVE-2026-13474
NetScaler · ADC and Gateway
A denial of service vulnerability exists in NetScaler ADC and Gateway due to improper handling of malformed HTTP/2 requests when HTTP/2 is enabled.
Executive summary
NetScaler ADC and Gateway are vulnerable to a denial of service attack that can be triggered by sending specifically crafted HTTP/2 requests to a configured virtual server.
Vulnerability
This vulnerability involves a flaw in how the system processes HTTP/2 traffic. An unauthenticated attacker can crash the affected service by sending malformed HTTP/2 requests to an endpoint where the protocol is enabled.
Business impact
The exploitation of this vulnerability results in service unavailability, leading to significant operational disruption for organizations relying on NetScaler for load balancing and VPN connectivity. With a CVSS score of 8.7, the high severity reflects the ease of triggering this denial of service, potentially impacting business continuity and user access to critical applications.
Remediation
Immediate Action: Identify all instances where HTTP/2 is enabled on virtual servers and apply the latest security patches provided by NetScaler.
Proactive Monitoring: Monitor system logs for repeated connection failures or unexpected service restarts, which may indicate attempted exploitation.
Compensating Controls: Consider disabling HTTP/2 on affected virtual servers as a temporary measure if a patch cannot be immediately deployed.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the potential for complete service disruption, administrators must prioritize the assessment of their NetScaler deployments. Applying vendor-supplied patches is the only definitive way to remediate this vulnerability and restore the integrity of the affected services.