HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10046Published Modified CNA Bitdefender

CVE-2026-10046: Out-of-bounds write in Napoca BIOS INT 0x15 E820 memory map handler (VA-13905)

Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the BIOS INT 0x15 / E820 memory map handler, implemented in napoca/guests/bios_handlers.c. The handler computes a destination offset into the guest RealModeMemory buffer from guest-controlled ES and EDI register values without validating that the resulting address remains within the 1MB RealModeMemory allocation. A malicious guest operating in real mode can trigger the issue by invoking INT 0x15 with AX=0xE820, EDX=0x534D4150, ECX greater than or equal to 20, EBX=0, ES=0xFFFF, and EDI=0xFFFF. This can cause a write of up to 20 bytes past the end of the RealModeMemory buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.

Metrics

CVSS v4.0
8.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability exists in the Bitdefender Napoca bare-metal hypervisor, specifically in the BIOS INT 0x15 E820 memory map handler. An attacker with a low-privilege account and local access to a guest operating system running in real mode can trigger the flaw by issuing a crafted INT 0x15 call with specific register values, causing up to 20 bytes to be written past the end of the hypervisor's RealModeMemory heap buffer. Successful exploitation gives the attacker read access to sensitive hypervisor memory, the ability to corrupt hypervisor heap data, and the potential to disrupt or take control of the hypervisor process. No fix versions have been published; HarborGuard tracks this advisory for any upstream patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images, for any package or layer that bundles the Napoca hypervisor. Scanning is continuous, so newly pushed images are evaluated against this CVE as soon as they enter a monitored registry or CI pipeline.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v4.0 score of 8.5 (HIGH) and applies per-environment compliance policy weighting to determine urgency before routing the finding to the appropriate team inbox within each customer organization. Because no fix version exists, triage annotations flag the advisory status and recommend compensating controls while monitoring continues.

Available
Patch

Because no fix version has been published and Napoca is end-of-life, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, customers with auto-remediation enabled will receive compensating-control recommendations, such as network-policy isolation of affected workloads, surfaced directly in the remediation workflow.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the vulnerable handler is required.

  • AuthenticationRequired

    Any low-privilege account on the guest is sufficient to invoke the crafted INT 0x15 call.

  • Victim interactionNot required

    No victim action or social engineering is needed; the attacker triggers the flaw directly.

  • Attack complexityDetail

    The exploit is reliable and condition-free: specific register values are publicly documented in the CVE, and no race condition or memory-layout dependency must be satisfied.

Blast Radius

  • Reads hypervisor heap memory adjacent to the RealModeMemory buffer, exposing internal hypervisor data structures and potentially sensitive guest or host memory contents.
  • Writes up to 20 bytes of attacker-influenced data past the end of the RealModeMemory allocation, corrupting hypervisor heap metadata or adjacent data.
  • Heap corruption opens a path to redirecting hypervisor execution flow, which breaks the isolation boundary between the guest and the bare-metal hypervisor layer.

How HarborGuard Handles This

Available on HarborGuard: continuous scanning matches this CVE against every image in monitored registries and pipelines, including custom-built images that incorporate Napoca binaries, within minutes of ingestion. Because the Napoca hypervisor is end-of-life and no upstream patch exists, HarborGuard re-evaluates the advisory on each ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is published. For customers who opt into auto-remediation, that rebuild is followed by a regression-test run and a PR opened against affected workloads. In the meantime, HarborGuard surfaces compensating-control guidance in the finding detail, including isolating workloads that ship Napoca via network policy, restricting guest real-mode execution paths where the platform allows it, and applying egress filtering to limit the reach of any compromised hypervisor process. Where compliance policy permits, these recommendations are attached directly to the routed finding so the responsible team can act without leaving the HarborGuard workflow.

See how HarborGuard automates this
Affected packages
  • Bitdefender / Napoca bare-metal hypervisor
    all
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References