CVE Catalog

CVE-2026-10046

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Summary

The Bitdefender Napoca hypervisor contains an out-of-bounds write vulnerability in the BIOS INT 0x15 / E820 memory map handler. The handler computes a destination address based on guest-controlled ES and EDI register values, potentially leading to writes beyond the allocated RealModeMemory.

Risk Assessment

A malicious guest operating in real mode can exploit this vulnerability to write data into the hypervisor's memory area, potentially causing system instability or data leakage. The product is end-of-life and unsupported.

Recommendation

It is recommended to avoid using unsupported software versions and to migrate to supported solutions. Additionally, monitoring and restricting access to virtual environments should be implemented to minimize the risk of exploitation.

Original NVD description (English source)

Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the BIOS INT 0x15 / E820 memory map handler, implemented in napoca/guests/bios_handlers.c. The handler computes a destination offset into the guest RealModeMemory buffer from guest-controlled ES and EDI register values without validating that the resulting address remains within the 1MB RealModeMemory allocation. A malicious guest operating in real mode can trigger the issue by invoking INT 0x15 with AX=0xE820, EDX=0x534D4150, ECX greater than or equal to 20, EBX=0, ES=0xFFFF, and EDI=0xFFFF. This can cause a write of up to 20 bytes past the end of the RealModeMemory buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS