CVE Catalog

CVE-2026-10047

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Summary

The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler. It uses a guest-controlled SS:SP-derived offset as an index into the RealModeMemory buffer, leading to an overflow.

Risk Assessment

Exploitation of this vulnerability may allow unauthorized writes to the hypervisor heap, posing a significant threat to system integrity. The product is end-of-life and unsupported.

Recommendation

It is recommended to discontinue use of the product as it is no longer supported. If still in use, consider migrating to a supported solution.

Original NVD description (English source)

The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without bounds validation. With SS=0xFFFF and ESP=0xFFFF, the computed offset can reach 0x10FFEF, exceeding the RealModeMemory buffer by 65,519 bytes. The IRET frame push can therefore write past the end of the buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS