Skip to main content

Bitdefender Napoca Hypervisor CVE-2026-10047

| EUVDEUVD-2026-33944 HIGH
Out-of-bounds Write (CWE-787)
2026-06-02 Bitdefender GHSA-m94v-7gjf-wmxq
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 18:07 vuln.today
CVSS changed
Jun 02, 2026 - 16:22 NVD
8.5 (HIGH)
CVE Published
Jun 02, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without bounds validation. With SS=0xFFFF and ESP=0xFFFF, the computed offset can reach 0x10FFEF, exceeding the RealModeMemory buffer by 65,519 bytes. The IRET frame push can therefore write past the end of the buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.

AnalysisAI

Out-of-bounds write in the Bitdefender Napoca bare-metal hypervisor allows a low-privileged guest to corrupt hypervisor heap memory via crafted SS:SP register values processed by the real-mode hook handler. The flaw, tracked as EUVD-2026-33944 and reported by Bitdefender itself, affects an end-of-life product with no public exploit identified at time of analysis. Successful exploitation breaks the guest-to-hypervisor boundary, yielding total compromise of confidentiality, integrity, and availability of the host hypervisor.

Technical ContextAI

Napoca is Bitdefender's bare-metal (Type-1) hypervisor that enforces guest isolation directly on hardware. The vulnerable code path is napoca/kernel/handler.c, which intercepts real-mode operations from guests and stages data in a fixed 1MB RealModeMemory buffer. The handler computes the write offset from the guest's stack segment (SS) and stack pointer (SP/ESP) without validating the result is within the 1MB region - a textbook CWE-787 out-of-bounds write. With SS=0xFFFF and ESP=0xFFFF, the linear offset (SS<<4)+ESP reaches 0x10FFEF, overshooting the buffer by 65,519 bytes so the IRET frame push lands in the hypervisor heap. Because Napoca runs at higher privilege than any guest, corrupting its heap is a privilege-boundary violation, not just intra-guest memory corruption.

RemediationAI

No vendor-released patch identified at time of analysis - Bitdefender confirms Napoca is end-of-life and unsupported, so no fixed version will be issued. The recommended remediation is migration off Napoca to a supported Type-1 hypervisor (e.g., a current Bitdefender HVI offering or another vendor's hypervisor with active security maintenance); consult the Bitdefender advisory at https://www.bitdefender.com/support/security-advisories/out-of-bounds-write-in-napoca-real-mode-hook-handler-via-guest-controlled-sssp-va-13905 for vendor guidance. Until migration completes, compensating controls are limited because the trust boundary itself is broken: restrict which workloads run as guests to ones whose kernel/admin level you already trust (since CVSS PR:L requires some privilege inside the guest), avoid hosting untrusted or multi-tenant guests on Napoca, and disable any guest features that exercise real-mode code paths where operationally feasible - accepting the trade-off that legacy boot or BIOS-emulation workloads may break. Monitor hypervisor-level integrity (heap canaries, crash telemetry) so that exploitation attempts producing instability are detected, while recognizing this is detection, not prevention.

Share

CVE-2026-10047 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy