Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without bounds validation. With SS=0xFFFF and ESP=0xFFFF, the computed offset can reach 0x10FFEF, exceeding the RealModeMemory buffer by 65,519 bytes. The IRET frame push can therefore write past the end of the buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.
AnalysisAI
Out-of-bounds write in the Bitdefender Napoca bare-metal hypervisor allows a low-privileged guest to corrupt hypervisor heap memory via crafted SS:SP register values processed by the real-mode hook handler. The flaw, tracked as EUVD-2026-33944 and reported by Bitdefender itself, affects an end-of-life product with no public exploit identified at time of analysis. Successful exploitation breaks the guest-to-hypervisor boundary, yielding total compromise of confidentiality, integrity, and availability of the host hypervisor.
Technical ContextAI
Napoca is Bitdefender's bare-metal (Type-1) hypervisor that enforces guest isolation directly on hardware. The vulnerable code path is napoca/kernel/handler.c, which intercepts real-mode operations from guests and stages data in a fixed 1MB RealModeMemory buffer. The handler computes the write offset from the guest's stack segment (SS) and stack pointer (SP/ESP) without validating the result is within the 1MB region - a textbook CWE-787 out-of-bounds write. With SS=0xFFFF and ESP=0xFFFF, the linear offset (SS<<4)+ESP reaches 0x10FFEF, overshooting the buffer by 65,519 bytes so the IRET frame push lands in the hypervisor heap. Because Napoca runs at higher privilege than any guest, corrupting its heap is a privilege-boundary violation, not just intra-guest memory corruption.
RemediationAI
No vendor-released patch identified at time of analysis - Bitdefender confirms Napoca is end-of-life and unsupported, so no fixed version will be issued. The recommended remediation is migration off Napoca to a supported Type-1 hypervisor (e.g., a current Bitdefender HVI offering or another vendor's hypervisor with active security maintenance); consult the Bitdefender advisory at https://www.bitdefender.com/support/security-advisories/out-of-bounds-write-in-napoca-real-mode-hook-handler-via-guest-controlled-sssp-va-13905 for vendor guidance. Until migration completes, compensating controls are limited because the trust boundary itself is broken: restrict which workloads run as guests to ones whose kernel/admin level you already trust (since CVSS PR:L requires some privilege inside the guest), avoid hosting untrusted or multi-tenant guests on Napoca, and disable any guest features that exercise real-mode code paths where operationally feasible - accepting the trade-off that legacy boot or BIOS-emulation workloads may break. Monitor hypervisor-level integrity (heap canaries, crash telemetry) so that exploitation attempts producing instability are detected, while recognizing this is detection, not prevention.
More in Napoca Bare Metal Hypervisor
View allSame weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33944
GHSA-m94v-7gjf-wmxq