CVE-2026-10046: Bitdefender Napoca Hypervisor Out-of-Bounds Write Vulnerability
Bitdefender Napoca is a bare-metal hypervisor—a foundational piece of virtualization software that runs directly on hardware. A vulnerability exists in how it handles a legacy BIOS memory lookup request (INT 0x15). When a guest operating system makes this request with specific register values, the hypervisor fails to check whether the destination memory address is valid, allowing data to be written beyond the allocated buffer. An attacker with access to a guest system can exploit this to write data into the hypervisor's internal memory, potentially compromising the entire virtualization layer. Importantly, Napoca is end-of-life and no longer receives vendor support.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-787
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the BIOS INT 0x15 / E820 memory map handler, implemented in napoca/guests/bios_handlers.c. The handler computes a destination offset into the guest RealModeMemory buffer from guest-controlled ES and EDI register values without validating that the resulting address remains within the 1MB RealModeMemory allocation. A malicious guest operating in real mode can trigger the issue by invoking INT 0x15 with AX=0xE820, EDX=0x534D4150, ECX greater than or equal to 20, EBX=0, ES=0xFFFF, and EDI=0xFFFF. This can cause a write of up to 20 bytes past the end of the RealModeMemory buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10046 is an out-of-bounds write vulnerability in Bitdefender Napoca's real-mode BIOS interrupt handler. The vulnerability resides in napoca/guests/bios_handlers.c, specifically in the INT 0x15 / E820 memory map handler. The handler calculates a destination offset within the guest's RealModeMemory buffer by combining ES (segment) and EDI (offset) register values supplied by the guest without performing bounds validation. When a guest executes INT 0x15 with AX=0xE820, EDX=0x534D4150, ECX ≥ 20, EBX=0, ES=0xFFFF, and EDI=0xFFFF, the computed address points beyond the 1MB RealModeMemory allocation. This permits writing up to 20 bytes into adjacent hypervisor heap memory. The vulnerability requires local guest access and low privilege, classified as CWE-787 (out-of-bounds write).
Business impact
Organizations running Bitdefender Napoca face a critical isolation breach. A malicious guest can compromise the hypervisor's memory integrity, potentially enabling escalation to arbitrary code execution within the hypervisor context. This undermines the security assumption that hypervisors isolate and control guest workloads. If Napoca is used to partition security-sensitive operations or enforce compliance boundaries, a guest escape or hypervisor compromise could bypass those protections entirely. The end-of-life status means no vendor patches will be released, leaving affected deployments in a perpetual vulnerable state unless decommissioned or replaced.
Affected systems
Bitdefender Napoca bare-metal hypervisor in all versions is affected. Since the product is end-of-life and unsupported at the time of CVE assignment, no current versions are receiving security updates. Any organization still operating Napoca—whether in production or legacy environments—is potentially affected if guest systems are not fully isolated or trusted.
Exploitability
Exploitability is straightforward for an attacker with guest-level access. The attack requires only the ability to execute real-mode code or invoke BIOS interrupts from a guest environment and does not require elevated hypervisor privileges. The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects local attack vector, low attack complexity, low privilege requirement, and high impact across confidentiality, integrity, and availability. The exploit does not require user interaction. No known public exploit code is documented in the KEV catalog, but the technical barrier to weaponization is low given the deterministic nature of the flaw.
Remediation
No vendor patch will be released for Napoca due to end-of-life status. Organizations must pursue one of two paths: (1) decommission or migrate away from Napoca to a supported alternative hypervisor, or (2) implement strict isolation measures to prevent guest systems from executing untrusted code or invoking BIOS interrupts. Isolation may include disabling real-mode execution where possible, enforcing strict code integrity policies on guest images, and network segmentation to limit lateral movement if a guest is compromised.
Patch guidance
No official patch is available from Bitdefender. Verify current Napoca deployment status with your infrastructure team immediately. If Napoca remains in production, initiate a migration plan to a vendor-supported hypervisor platform (such as Xen, KVM, or commercial alternatives). Coordinate the transition with application and compliance teams to ensure continuity. Do not rely on workarounds; the absence of vendor support means future vulnerabilities will remain unaddressed.
Detection guidance
Monitor hypervisor logs for anomalous real-mode interrupt handler activity, particularly INT 0x15 calls with the specific register signatures noted in the vulnerability description (AX=0xE820, EDX=0x534D4150, ES=0xFFFF, EDI=0xFFFF). Use kernel/hypervisor debuggers to instrument bios_handlers.c entry points if feasible in your test environment. Heap memory canaries or guard pages placed adjacent to RealModeMemory may catch exploitation attempts, though production deployment of such instrumentation should be validated separately. Asset inventory scans should identify any remaining Napoca instances for accelerated remediation.
Why prioritize this
Prioritize this vulnerability at maximum severity. Although it requires local guest access, the impact is critical—it enables hypervisor compromise and complete guest isolation bypass. The end-of-life status eliminates any prospect of vendor remediation, making remediation through migration or decommissioning mandatory rather than discretionary. Organizations still operating Napoca are in an actively unsupported state that compounds risk.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects the combination of local attack vector, low complexity, and high impact across confidentiality, integrity, and availability. While the attack requires local privilege (PR:L), the barrier to obtaining guest-level access in many environments is modest, especially if guest images are not fully controlled or validated. The high impact score is warranted because a successful hypervisor heap corruption can lead to arbitrary code execution within the hypervisor, effectively compromising all guest isolation. The end-of-life status elevates operational risk beyond the CVSS score alone.
Frequently asked questions
Can we stay on Napoca if we disable real-mode support in our guest operating systems?
Disabling real-mode support may mitigate this specific vulnerability if enforced uniformly across all guests and guest boot stages. However, Napoca is end-of-life, meaning no vendor will release patches for new vulnerabilities. Mitigation rather than remediation is a temporary measure and does not address the broader risk of an unsupported hypervisor. Migration should remain the goal.
Is this vulnerability in the CISA KEV catalog?
No, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. However, the absence of public exploit activity does not reduce the urgency of remediation, especially for an end-of-life product. Local attack vector vulnerabilities with high impact are attractive targets once details become widely known.
What hypervisor platforms should we migrate to?
Supported alternatives include KVM (open-source, Linux-native), Xen (mature, widely deployed), Hyper-V (Windows Server environments), and vSphere/ESXi (enterprise VMware). Evaluate based on your existing infrastructure, guest compatibility, compliance requirements, and support needs. Engage your vendor and IT team to pilot migration in a non-production environment before full rollout.
If we cannot migrate immediately, what interim controls help?
Network isolation of Napoca-based workloads, strict guest image validation and code signing, disabling guest execution of untrusted code, and implementing host-level intrusion detection to flag anomalous hypervisor behavior are interim measures. These reduce risk but do not eliminate it. Establish a firm migration timeline and track progress weekly.
This analysis is provided for informational purposes by SEC.co and does not constitute legal, compliance, or vendor-specific advice. CVE-2026-10046 affects end-of-life Bitdefender Napoca; no vendor patch will be released. Verify all technical details, affected versions, and remediation options with Bitdefender and your infrastructure team before taking action. Proof-of-concept code and exploitation techniques are not provided herein. Organizations must conduct their own risk assessment and testing in non-production environments prior to implementing any changes. This page may be updated as new information becomes available. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10047HIGHBitdefender Napoca Out-of-Bounds Write in Real-Mode Handler
- CVE-2021-4478HIGHDräger CC-Vision Buffer Overflow in .gdt File Parsing
- CVE-2025-59605HIGHQualcomm Memory Corruption in Device Identifier Processing
- CVE-2026-10883HIGHType Confusion in Chrome ANGLE Graphics Library
- CVE-2026-10897HIGHCritical Chrome GPU Sandbox Escape Vulnerability
- CVE-2026-10907HIGHChrome ANGLE Out-of-Bounds Write – Remote Code Execution Risk
- CVE-2026-10925HIGHSkia Out-of-Bounds Write Enables macOS Chrome Sandbox Escape
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required