CVE-2026-10047 PUBLISHED

Out-of-bounds write in Napoca real-mode hook handler via guest-controlled SS:SP (VA-13905)

Assigner: Bitdefender
Reserved: 28.05.2026 Published: 02.06.2026 Updated: 02.06.2026

The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without bounds validation. With SS=0xFFFF and ESP=0xFFFF, the computed offset can reach 0x10FFEF, exceeding the RealModeMemory buffer by 65,519 bytes. The IRET frame push can therefore write past the end of the buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.5

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Bitdefender
Product	Napoca bare-metal hypervisor
Versions	Default: affected Version all is affected

Workarounds

No workaround is available.

Solutions

No fix is planned because Bitdefender Napoca is end-of-life. Users should discontinue use of the unsupported product.

Credits

Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) finder

References

https://www.bitdefender.com/support/security-advisories/out-of-bounds-write-in-napoca-real-mode-hook-handler-via-guest-controlled-sssp-va-13905

Problem Types

CWE-787: Out-of-bounds Write CWE

Impacts

Overflow Buffers