CVE-2026-10046
Analyzed Analyzed - Analysis Complete
Out-of-Bounds Write in Bitdefender Napoca Hypervisor

Publication date: 2026-06-02

Last updated on: 2026-06-08

Assigner: Bitdefender

Description
Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the BIOS INT 0x15 / E820 memory map handler, implemented in napoca/guests/bios_handlers.c. The handler computes a destination offset into the guest RealModeMemory buffer from guest-controlled ES and EDI register values without validating that the resulting address remains within the 1MB RealModeMemory allocation. A malicious guest operating in real mode can trigger the issue by invoking INT 0x15 with AX=0xE820, EDX=0x534D4150, ECX greater than or equal to 20, EBX=0, ES=0xFFFF, and EDI=0xFFFF. This can cause a write of up to 20 bytes past the end of the RealModeMemory buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-08
Generated
2026-06-23
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-10046
EUVD
EUVD-2026-33943
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bitdefender napoca *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Bitdefender Napoca bare-metal hypervisor within the BIOS INT 0x15 / E820 memory map handler. The issue arises because the handler calculates a destination offset into the guest RealModeMemory buffer using guest-controlled ES and EDI register values without verifying that the address stays within the allocated 1MB RealModeMemory buffer.

A malicious guest operating in real mode can exploit this by invoking the INT 0x15 interrupt with specific register values (AX=0xE820, EDX=0x534D4150, ECX >= 20, EBX=0, ES=0xFFFF, and EDI=0xFFFF). This causes the hypervisor to write up to 20 bytes beyond the end of the RealModeMemory buffer into the hypervisor heap, leading to an out-of-bounds write.

Impact Analysis

The out-of-bounds write vulnerability can lead to corruption of the hypervisor's heap memory, which may cause instability, crashes, or potentially allow an attacker to execute arbitrary code with elevated privileges within the hypervisor environment.

Since the vulnerability can be triggered by a malicious guest operating system, it poses a risk to the security and integrity of the host system and other guests running on the same hypervisor.

Mitigation Strategies

The product is end-of-life and unsupported, which implies that no official patches or updates are available to fix this vulnerability.

Immediate mitigation steps would include discontinuing use of the affected Bitdefender Napoca bare-metal hypervisor and migrating to a supported and patched hypervisor solution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10046. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart