CVE-2026-10047: Bitdefender Napoca Out-of-Bounds Write in Real-Mode Handler
Bitdefender's Napoca bare-metal hypervisor contains a memory safety flaw that allows a local attacker with limited privileges to write data beyond the boundaries of an internal memory buffer. By crafting specific processor register values, an attacker can overflow into the hypervisor's heap memory, potentially corrupting critical hypervisor state or executing arbitrary code. This vulnerability affects an end-of-life product that is no longer receiving security updates.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-787
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without bounds validation. With SS=0xFFFF and ESP=0xFFFF, the computed offset can reach 0x10FFEF, exceeding the RealModeMemory buffer by 65,519 bytes. The IRET frame push can therefore write past the end of the buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10047 is an out-of-bounds write vulnerability in Napoca's real-mode hook handler (napoca/kernel/handler.c). The vulnerability arises because the handler derives a buffer index from guest-controlled SS:SP register values without performing bounds validation against the 1MB RealModeMemory buffer. A crafted guest can set SS=0xFFFF and ESP=0xFFFF to generate an offset of 0x10FFEF, which exceeds the buffer's 1MB limit by 65,519 bytes. When the handler executes an IRET frame push operation, the write extends into the adjacent hypervisor heap, enabling arbitrary heap corruption. The flaw is classified as CWE-787 (out-of-bounds write).
Business impact
Organizations relying on Napoca for virtualization security are exposed to local privilege escalation and potential guest-to-hypervisor escape scenarios. A compromised guest VM can corrupt hypervisor memory, destabilizing other VMs on the same physical host or establishing persistence mechanisms. Given that Napoca is end-of-life and unsupported, no vendor patches are forthcoming, making this a permanent risk unless deployments are decommissioned or isolated. Affected enterprises should assess whether Napoca remains in production and plan migration strategies accordingly.
Affected systems
Bitdefender Napoca bare-metal hypervisor. The product is explicitly end-of-life and no longer receives vendor support. Any deployed instance of Napoca is vulnerable; no patched versions exist.
Exploitability
The vulnerability requires local access (a compromised or malicious guest VM) and low privilege (the attacker operates within the guest context). Exploitation is straightforward: set guest registers to trigger an out-of-bounds index, then execute an instruction sequence that causes the handler to write the IRET frame. No complex user interaction is required. The attack surface is directly accessible from any guest VM, making this a high-risk flaw for multi-tenant hypervisor environments. Exploit code is not known to be in active circulation, but the simplicity of the trigger suggests weaponization is feasible.
Remediation
Because Napoca is end-of-life, Bitdefender will not release patches. Organizations must migrate to a supported hypervisor platform (e.g., newer Bitdefender offerings or alternative virtualization stacks) or decommission Napoca deployments. Interim risk mitigation includes: strict VM isolation (limiting guest capabilities), air-gapping Napoca hosts from untrusted networks, and restricting guest creation to trusted sources. These measures reduce exposure but do not eliminate the underlying vulnerability.
Patch guidance
No patch is available from Bitdefender for this end-of-life product. Verify your inventory to identify all Napoca deployments. If Napoca is still in use, contact Bitdefender support to discuss migration pathways to supported alternatives. Document the timeline for decommissioning or replacement in your asset management system.
Detection guidance
Detection at runtime is difficult because the vulnerability occurs within the hypervisor's real-mode handler logic. Focus detection efforts on identifying Napoca deployments via asset discovery tools (check for the presence of Napoca hypervisor binaries and configuration). Inspect VM guest OS logs for unusual crashes or memory protection faults that might signal heap corruption. Monitor host-level kernel logs for unexpected hypervisor faults. If security monitoring tools are deployed within guest VMs, configure them to alert on abnormal register manipulation patterns that target SS and SP values. Note that no KEV active exploitation evidence has been reported as of the CVE publication date.
Why prioritize this
Although this is a HIGH-severity vulnerability with a CVSS score of 7.8, prioritization depends on whether Napoca remains in active use in your environment. If you have no Napoca deployments, risk is zero. If Napoca is present, this is a critical finding because: (1) local guest-to-hypervisor escape is highly damaging in multi-tenant environments, (2) no patch is available, and (3) remediation requires architectural changes (migration or decommission). Prioritize inventory and migration planning over all other Napoca-related tasks.
Risk score, explained
CVSS 3.1 score of 7.8 (HIGH) reflects: Attack Vector = Local (AV:L, requires guest access), Attack Complexity = Low (AC:L, straightforward trigger), Privileges Required = Low (PR:L, guest user level suffices), User Interaction = None (UI:N, no user action needed), and full impact on Confidentiality, Integrity, and Availability (C:H/I:H/A:H). The score does not discount end-of-life status; it reflects the technical severity of the flaw itself. In practice, risk is modulated by whether Napoca is deployed at all.
Frequently asked questions
Is there a patch for Napoca?
No. Napoca is end-of-life and Bitdefender does not provide patches. Remediation requires migration to a supported hypervisor platform or decommissioning.
Can this vulnerability be exploited from outside a guest VM?
No. The vulnerability requires a compromised or malicious guest VM to set register values and trigger the real-mode handler. It is not remotely exploitable.
What is the impact of a successful exploit?
A guest VM can corrupt the hypervisor's heap memory, potentially destabilizing other VMs, achieving code execution within the hypervisor, or establishing persistence. In multi-tenant scenarios, this enables lateral movement between VMs.
How should we prioritize remediation if we have Napoca in production?
Begin with a complete inventory of Napoca instances. Develop a migration plan to a supported hypervisor, prioritizing hosts with untrusted guest workloads. Implement strict VM isolation policies as a temporary measure. Set a firm decommission date and communicate it to stakeholders.
This analysis is based on publicly available information current as of the CVE publication date (2026-06-02). Bitdefender has declared Napoca end-of-life; no vendor patches or updates are forthcoming. Organizations must verify their own Napoca deployment status and consult Bitdefender's official security advisories for authoritative guidance. This assessment is provided for informational purposes and does not constitute professional security advice tailored to your environment. Conduct your own risk assessment and engage qualified security professionals for remediation planning. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10046HIGHBitdefender Napoca Hypervisor Out-of-Bounds Write Vulnerability
- CVE-2021-4478HIGHDräger CC-Vision Buffer Overflow in .gdt File Parsing
- CVE-2025-59605HIGHQualcomm Memory Corruption in Device Identifier Processing
- CVE-2026-10883HIGHType Confusion in Chrome ANGLE Graphics Library
- CVE-2026-10897HIGHCritical Chrome GPU Sandbox Escape Vulnerability
- CVE-2026-10907HIGHChrome ANGLE Out-of-Bounds Write – Remote Code Execution Risk
- CVE-2026-10925HIGHSkia Out-of-Bounds Write Enables macOS Chrome Sandbox Escape
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required