CVE-2026-10047 HIGH

CVE-2026-10047: Out-of-bounds write in Napoca real-mode hook handler via guest-controlled SS:SP (VA-13905)

Vendor Bitdefender

Product Napoca bare-metal hypervisor

Weakness CWE-787

Published June 2, 2026

Last update June 2, 2026

View on NVD All CVEs

CVSS base score

8.5/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without bounds validation. With SS=0xFFFF and ESP=0xFFFF, the computed offset can reach 0x10FFEF, exceeding the RealModeMemory buffer by 65,519 bytes. The IRET frame push can therefore write past the end of the buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.

Key dates

02Disclosure timeline

June 2, 2026 CVE published

June 2, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-10047 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/787.html

Related vulnerabilities

CVE-2026-10047: Out-of-bounds write in Napoca real-mode hook handler via guest-controlled SS:SP (VA-13905)

01Description

02Disclosure timeline

03References

04Related CVE