Description
The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without bounds validation. With SS=0xFFFF and ESP=0xFFFF, the computed offset can reach 0x10FFEF, exceeding the RealModeMemory buffer by 65,519 bytes. The IRET frame push can therefore write past the end of the buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.
Published: 2026-06-02
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability appears in the Bitdefender Napoca bare-metal hypervisor. The real-mode hook handler uses a guest-controlled SS:SP pair to calculate an offset into a 1 MB RealModeMemory buffer without bounds validation. When SS=0xFFFF and ESP=0xFFFF the offset reaches 0x10FFEF, 65 519 bytes beyond the buffer, allowing the IRET frame push to write outside the buffer into the hypervisor heap. This can corrupt heap structures and potentially allow exploitation of hypervisor data, leading to privilege escalation or denial of service. The weakness is an out-of-bounds write (CWE-787).

Affected Systems

The affected vendor is Bitdefender, product Napoca bare-metal hypervisor. No specific version details are listed; the product is end-of-life and unsupported. Users should stop using this hypervisor.

Risk and Exploitability

The CVSS score is 8.5, indicating a high severity design flaw. The EPSS score is not available, so the current probability of exploitation is unknown. The vulnerability is not listed in CISA KEV, implying no known active exploitation. Attackers triggering the flaw must control guest registers SS and SP, so the attack vector is likely local to a guest VM with privileged access. Successful exploitation could corrupt the hypervisor heap, leading to unauthorized code execution on the host or data loss. Overall, the risk is high for any system still running this unsupported hypervisor.

Generated by OpenCVE AI on June 2, 2026 at 16:26 UTC.

Remediation

Vendor Solution

No fix is planned because Bitdefender Napoca is end-of-life. Users should discontinue use of the unsupported product.

Vendor Workaround

No workaround is available.

OpenCVE Recommended Actions

  • Cease use of Bitdefender Napoca and migrate to a supported hypervisor platform.
  • If migration cannot be performed immediately, isolate the hypervisor from untrusted guests by enforcing strict access controls and disabling direct control of SS:SP registers, and monitor guest activity for signs of exploitation.
  • Maintain a comprehensive monitoring strategy for the hypervisor environment, keeping logs of CPU register accesses and heap usage, and applying general best practices for VM isolation and privilege separation.

Generated by OpenCVE AI on June 2, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without bounds validation. With SS=0xFFFF and ESP=0xFFFF, the computed offset can reach 0x10FFEF, exceeding the RealModeMemory buffer by 65,519 bytes. The IRET frame push can therefore write past the end of the buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.
Title Out-of-bounds write in Napoca real-mode hook handler via guest-controlled SS:SP (VA-13905)
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Bitdefender

Published:

Updated: 2026-06-02T16:06:55.065Z

Reserved: 2026-05-28T22:57:30.259Z

Link: CVE-2026-10047

cve-icon Vulnrichment

Updated: 2026-06-02T16:06:50.991Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-02T16:16:31.747

Modified: 2026-06-02T17:14:05.363

Link: CVE-2026-10047

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T16:30:13Z

Weaknesses