CVE-2026-10046
Out-of-Bounds Write in Bitdefender Napoca Hypervisor
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: Bitdefender
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bitdefender | napoca | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Bitdefender Napoca bare-metal hypervisor within the BIOS INT 0x15 / E820 memory map handler. The issue arises because the handler calculates a destination offset into the guest RealModeMemory buffer using guest-controlled ES and EDI register values without verifying that the address stays within the allocated 1MB RealModeMemory buffer.
A malicious guest operating in real mode can exploit this by invoking the INT 0x15 interrupt with specific register values (AX=0xE820, EDX=0x534D4150, ECX >= 20, EBX=0, ES=0xFFFF, and EDI=0xFFFF). This causes the hypervisor to write up to 20 bytes beyond the end of the RealModeMemory buffer into the hypervisor heap, leading to an out-of-bounds write.
How can this vulnerability impact me? :
The out-of-bounds write vulnerability can lead to corruption of the hypervisor's heap memory, which may cause instability, crashes, or potentially allow an attacker to execute arbitrary code with elevated privileges within the hypervisor environment.
Since the vulnerability can be triggered by a malicious guest operating system, it poses a risk to the security and integrity of the host system and other guests running on the same hypervisor.