CVE-2026-10047

Vulnerability

The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without bounds validation. With SS=0xFFFF and ESP=0xFFFF, the computed offset can reach 0x10FFEF, exceeding the RealModeMemory buffer by 65,519 bytes. The IRET frame push can therefore write past the end of the buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned [1].

Exploitation

An attacker with guest access can trigger this vulnerability by manipulating the SS:SP registers to values such as 0xFFFF:0xFFFF. This crafted offset is then used to write past the end of the RealModeMemory buffer during an IRET frame push, corrupting the hypervisor heap [1].

Impact

Successful exploitation allows an attacker to write past the end of the RealModeMemory buffer into the hypervisor heap, potentially leading to arbitrary code execution within the hypervisor context or a denial-of-service condition. The scope of the compromise is the hypervisor itself [1].

Mitigation

The Bitdefender Napoca bare-metal hypervisor is end-of-life and unsupported. No patches are available for this vulnerability. Users should migrate to a supported hypervisor solution [1].