CVE-2026-13474

Summary

Denial of service via malformed HTTP/2 requests in NetScaler ADC and NetScaler Gateway if HTTP/2 is enabled in HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler

Affected Software

VendorProductVersion RangeStatus
NetScalerADC14.1 < 72.61affected
NetScalerADC13.1 < 63.18affected
NetScalerADC14.1 FIPS < 72.61affected
NetScalerADC13.1 FIPS and NDcPP < 37.272affected
NetScalerGateway14.1 < 72.61affected
NetScalerGateway13.1 < 63.18affected

Weaknesses

  • CWE-401: CWE-401 Missing release of memory after effective lifetime

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References