CVE-2026-10047

UNKNOWN 0.0

Out-of-bounds write in Napoca real-mode hook handler via guest-controlled SS:SP (VA-13905)

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without bounds validation. With SS=0xFFFF and ESP=0xFFFF, the computed offset can reach 0x10FFEF, exceeding the RealModeMemory buffer by 65,519 bytes. The IRET frame push can therefore write past the end of the buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.

CWE	CWE-787
Vendor	bitdefender
Product	napoca bare-metal hypervisor
Published	Jun 2, 2026
Last Updated	Jun 2, 2026

Stay Ahead of the Next One

Get instant alerts for bitdefender napoca bare-metal hypervisor

Be the first to know when new unknown vulnerabilities affecting bitdefender napoca bare-metal hypervisor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Bitdefender / Napoca bare-metal hypervisor

all

References

NVD ↗ CVE.org ↗ EPSS Data ↗

bitdefender.com: https://www.bitdefender.com/support/security-advisories/out-of-bounds-write-in-napoca-real-mode-hook-handler-via-guest-controlled-sssp-va-13905

Credits

Sebastián Alba Vives (@Sebasteuo / 0xS4bb1)