CVE-2026-3055 (CVSS 9.1) is a critical out-of-bounds read in Citrix NetScaler ADC and NetScaler Gateway, patched March 23, 2026 via Citrix bulletin CTX696300, with potential for unauthenticated code execution or sensitive memory extraction from perimeter-facing appliances. EPSS is currently low but Citrix appliances have a documented history of rapid exploitation following disclosure; low EPSS should not be used to defer patching. Immediate actions: apply the March 23 patch per CTX696300, restrict management interface access to trusted IP ranges, and monitor for anomalous authentication or process crash events on appliances.