How is CVE-2026-10047 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no over-the-network access to the vulnerable component is required. Authentication (required): A low-privilege account (guest OS user) is sufficient to supply the crafted SS:SP values that trigger the out-of-bounds write. Victim interaction (not-required): No action from any other user or administrator is needed to trigger the vulnerability. Attack complexity (info): The exploit is reliable and condition-free; no race condition, specific memory layout, or environmental prerequisite is required beyond supplying the crafted register values.

What is the impact of CVE-2026-10047?

Reads arbitrary hypervisor heap contents, exposing in-memory cryptographic material, guest metadata, and other sensitive hypervisor state. Overwrites hypervisor heap structures beyond the RealModeMemory buffer, enabling arbitrary control over hypervisor data and potentially redirecting execution flow. Crashes the Napoca hypervisor process, taking down all guest VMs sharing that bare-metal host.

Back to search

HIGHCVE-2026-10047Published 2026-06-02Modified 2026-06-02CNA Bitdefender

CVE-2026-10047: Out-of-bounds write in Napoca real-mode hook handler via guest-controlled SS:SP (VA-13905)

The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without bounds validation. With SS=0xFFFF and ESP=0xFFFF, the computed offset can reach 0x10FFEF, exceeding the RealModeMemory buffer by 65,519 bytes. The IRET frame push can therefore write past the end of the buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability exists in the Bitdefender Napoca bare-metal hypervisor's real-mode hook handler. A low-privileged guest user can craft SS and SP register values that cause the handler to compute an offset of up to 0x10FFEF into a 1MB buffer, writing an IRET frame 65,519 bytes past the end of that buffer into the hypervisor heap. Successful exploitation gives an attacker full read and write access to hypervisor memory and can crash the hypervisor process entirely. No fix versions have been published; Napoca is end-of-life, and HarborGuard tracks the advisory for any future patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-10047 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle or depend on the Napoca hypervisor. Any affected image in a connected registry or CI pipeline is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.5 HIGH using the CVSS v4.0 vector and applies per-environment compliance policy weighting to prioritize alert routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership and severity thresholds.

Available

Patch

Because no upstream fix has been published for this end-of-life product, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix appears. In the meantime, customers can use HarborGuard's compensating-control recommendations, including network-policy isolation for affected workloads and feature-flag gating to disable real-mode hook handling where the hypervisor configuration permits it.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no over-the-network access to the vulnerable component is required.
AuthenticationRequired
A low-privilege account (guest OS user) is sufficient to supply the crafted SS:SP values that trigger the out-of-bounds write.
Victim interactionNot required
No action from any other user or administrator is needed to trigger the vulnerability.
Attack complexityDetail
The exploit is reliable and condition-free; no race condition, specific memory layout, or environmental prerequisite is required beyond supplying the crafted register values.

Blast Radius

Reads arbitrary hypervisor heap contents, exposing in-memory cryptographic material, guest metadata, and other sensitive hypervisor state.
Overwrites hypervisor heap structures beyond the RealModeMemory buffer, enabling arbitrary control over hypervisor data and potentially redirecting execution flow.
Crashes the Napoca hypervisor process, taking down all guest VMs sharing that bare-metal host.

How HarborGuard Handles This

Available on HarborGuard: because Napoca is end-of-life and no patch exists, HarborGuard monitors the CVE-2026-10047 advisory on every ingest cycle and will surface a patched-image rebuild automatically if Bitdefender or a downstream maintainer publishes a fix. Until then, customers can act on HarborGuard's compensating-control guidance: isolate affected hypervisor workloads using network policy to limit lateral movement, apply egress filtering at the host level, and evaluate whether real-mode hook handling can be disabled via hypervisor configuration flags. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR flow will activate against affected workloads the moment a fix version becomes available upstream.

See how HarborGuard automates this

Affected packages

Bitdefender / Napoca bare-metal hypervisor
all

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

bitdefender.com

Metrics

Get notified