CVE-2026-10047 | THREATINT

Description

The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without bounds validation. With SS=0xFFFF and ESP=0xFFFF, the computed offset can reach 0x10FFEF, exceeding the RealModeMemory buffer by 65,519 bytes. The IRET frame push can therefore write past the end of the buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.

PUBLISHED Reserved 2026-05-28 | Published 2026-06-02 | Updated 2026-06-02 | Assigner Bitdefender

HIGH: 8.5CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-787: Out-of-bounds Write

Product status

Default status

affected

all (git)

affected

Credits

Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) finder

References

www.bitdefender.com/...er-via-guest-controlled-sssp-va-13905

cve.org (CVE-2026-10047)

nvd.nist.gov (CVE-2026-10047)

Download JSON