CVE 8.5 HIGH

Out-of-bounds write in Napoca real-mode hook handler via guest-controlled SS:SP (VA-13905)_CVE-2026-10047

June 2, 2026 invoker category_cve
8.5 / 10
HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without bounds validation. With SS=0xFFFF and ESP=0xFFFF, the computed offset can reach 0x10FFEF, exceeding the RealModeMemory buffer by 65,519 bytes. The IRET frame push can therefore write past the end of the buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.

AI Analysis

Out-of-bounds write vulnerability in the real-mode hook handler of Bitdefender Napoca bare-metal hypervisor

Basic Information

ID CVE-2026-10047
Source Bitdefender
Published Jun 2, 2026 at 14:17

Affected Product

Vendor Bitdefender
Product Napoca bare-metal hypervisor
Version all
Affected Versions Bitdefender Napoca bare-metal hypervisor all

CWE Classification

CWE-787

AI Assessment

AI Score 8.5 / 10
AI Severity High
Vendor Bitdefender
Product Napoca bare-metal hypervisor
Version all

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.