Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the BIOS INT 0x15 / E820 memory map handler, implemented in napoca/guests/bios_handlers.c. The handler computes a destination offset into the guest RealModeMemory buffer from guest-controlled ES and EDI register values without validating that the resulting address remains within the 1MB RealModeMemory allocation. A malicious guest operating in real mode can trigger the issue by invoking INT 0x15 with AX=0xE820, EDX=0x534D4150, ECX greater than or equal to 20, EBX=0, ES=0xFFFF, and EDI=0xFFFF. This can cause a write of up to 20 bytes past the end of the RealModeMemory buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.
AnalysisAI
Out-of-bounds heap write in the Bitdefender Napoca bare-metal hypervisor lets a malicious guest VM operating in real mode corrupt hypervisor memory through a crafted INT 0x15/E820 BIOS call, potentially enabling guest-to-host escape. The flaw resides in napoca/guests/bios_handlers.c, which computes a write offset from attacker-controlled ES:EDI register values without bounds checking against the 1MB RealModeMemory buffer. No public exploit identified at time of analysis, and CISA SSVC classifies exploitation status as 'none' - but the product is end-of-life and unsupported, raising the long-term risk profile.
Technical ContextAI
Napoca is Bitdefender's Type-1 bare-metal hypervisor that intercepts legacy BIOS services for guest VMs running in real mode. The vulnerable component emulates the BIOS INT 0x15 function AX=0xE820, the standard System Memory Map query interface used by bootloaders and early OS code to enumerate physical memory regions. The handler writes up to 20 bytes of E820 entry data into a per-guest 1MB RealModeMemory scratch buffer, but the destination is computed by combining the guest's segmented ES:EDI pointer (ES=0xFFFF, EDI=0xFFFF yields a 20-bit linear address far beyond the buffer). The CWE-787 (Out-of-bounds Write) root cause is a missing bounds check on the segment-translated linear address before the memcpy/structured write into the hypervisor heap, allowing controlled corruption of adjacent allocator metadata or hypervisor state. The affected CPE is cpe:2.3:a:bitdefender:napoca_bare-metal_hypervisor:*:*:*:*:*:*:*:*, covering all versions per the EUVD record.
RemediationAI
No vendor-released patch identified at time of analysis - Bitdefender has declared Napoca end-of-life and unsupported, so no fixed version will be published. The only durable remediation is migration off Napoca to a currently supported Type-1 hypervisor (e.g., a vendor-supported KVM/Xen/Hyper-V/ESXi stack); plan replacement of any host still running Napoca and treat continued use as accepting an unpatched guest-escape primitive. As a stopgap until migration, restrict which workloads can run on Napoca to fully trusted guests under your administrative control, since exploitation requires the attacker to execute code inside a guest VM - do not run untrusted or multi-tenant workloads on affected hosts. Network-isolate Napoca hosts so a compromised guest cannot be the pivot point into a broader environment, and increase monitoring of guest boot-time BIOS service usage where feasible (trade-off: BIOS INT 0x15/E820 is invoked by virtually every legitimate guest bootloader, so signal-to-noise will be poor). Consult the Bitdefender advisory at https://www.bitdefender.com/consumer/support/security-advisories/out-of-bounds-write-in-napoca-bios-int-0x15-e820-memory-map-handler-va-13905 for any vendor-specific guidance.
More in Napoca Bare Metal Hypervisor
View allSame weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33943
GHSA-mpc3-vg75-whww