Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10046

CVE-2026-10046: Bitdefender Napoca Buffer Overflow Flaw

CVE-2026-10046 is a buffer overflow vulnerability in Bitdefender Napoca bare-metal hypervisor that allows malicious guests to write beyond buffer bounds. This article covers technical details, affected systems, and fixes.

Published:

CVE-2026-10046 Overview

CVE-2026-10046 is an out-of-bounds write vulnerability [CWE-787] in the Bitdefender Napoca bare-metal hypervisor. The flaw resides in the BIOS INT 0x15 / E820 memory map handler implemented in napoca/guests/bios_handlers.c. The handler computes a destination offset into the guest RealModeMemory buffer using guest-controlled ES and EDI register values without validating that the resulting address remains within the 1MB allocation. A malicious guest running in real mode can write up to 20 bytes past the end of the RealModeMemory buffer into the hypervisor heap. Bitdefender Napoca was end-of-life and unsupported at the time of CVE assignment.

Critical Impact

A local guest can corrupt hypervisor heap memory, undermining confidentiality, integrity, and availability of the host hypervisor.

Affected Products

  • Bitdefender Napoca bare-metal hypervisor (end-of-life, unsupported)
  • napoca/guests/bios_handlers.c BIOS INT 0x15 / E820 handler
  • Guest virtual machines operating in real mode on Napoca

Discovery Timeline

  • 2026-06-02 - CVE-2026-10046 published to NVD
  • 2026-06-02 - Last updated in NVD database

Technical Details for CVE-2026-10046

Vulnerability Analysis

The Napoca hypervisor intercepts BIOS service calls issued by guests, including the INT 0x15 memory map query function AX=0xE820. When the guest issues this call, the hypervisor writes an E820 descriptor entry into guest real-mode memory using the segment:offset pair supplied in ES:EDI. The handler trusts the guest-supplied destination registers and computes the linear address (ES << 4) + EDI without bounds checking against the 1MB RealModeMemory buffer. When the guest supplies maximal values, the write target falls outside the allocation and into adjacent hypervisor heap memory. Up to 20 bytes of attacker-influenced descriptor content can be written past the buffer boundary.

Root Cause

The root cause is missing destination-address validation in the BIOS handler. The handler dereferences a guest-controlled pointer expression for the write destination but never verifies that the resulting offset plus the descriptor size fits within the RealModeMemory allocation. This is a classic out-of-bounds write pattern [CWE-787] caused by treating untrusted guest register state as a trusted memory index.

Attack Vector

The attack requires local privileges inside a guest VM. A malicious guest invokes INT 0x15 with AX=0xE820, EDX=0x534D4150 ('SMAP'), ECX >= 20, EBX=0, ES=0xFFFF, and EDI=0xFFFF. The handler computes a destination that lies beyond the 1MB real-mode buffer and writes the E820 descriptor into hypervisor heap memory. By repeating the call with varying register state, an attacker can shape adjacent heap structures and pursue privilege escalation from guest to host or hypervisor compromise.

No verified public exploit code is available. See the Bitdefender Security Advisory for technical details.

Detection Methods for CVE-2026-10046

Indicators of Compromise

  • Unexpected hypervisor crashes, panics, or reboots originating from guest VM activity
  • Guest VMs issuing INT 0x15AX=0xE820 calls with ES=0xFFFF and EDI=0xFFFF register state
  • Corruption of hypervisor heap structures observable in crash dumps near RealModeMemory allocations

Detection Strategies

  • Instrument the BIOS handler path to log E820 calls where the computed (ES<<4)+EDI exceeds the RealModeMemory bounds
  • Monitor hypervisor heap integrity using canary values around RealModeMemory allocations
  • Correlate guest boot-time real-mode activity with subsequent hypervisor instability events

Monitoring Recommendations

  • Capture and review hypervisor crash dumps for heap corruption patterns adjacent to RealModeMemory
  • Track which guests perform anomalous BIOS service call sequences during early boot
  • Alert on repeated INT 0x15 E820 invocations from a single guest with out-of-range segment:offset values

How to Mitigate CVE-2026-10046

Immediate Actions Required

  • Migrate workloads off Bitdefender Napoca, which is end-of-life and will not receive a vendor patch for this issue
  • Restrict who can deploy guest VMs on Napoca hosts to trusted operators only
  • Treat all Napoca guests as untrusted boundaries and isolate them from sensitive networks

Patch Information

Bitdefender Napoca was end-of-life and unsupported when CVE-2026-10046 was assigned. No security patch is available from the vendor. Refer to the Bitdefender Security Advisory for the vendor statement.

Workarounds

  • Replace Napoca with a supported, maintained hypervisor platform
  • Disable or block untrusted guests from running on Napoca hosts until migration is complete
  • Apply network segmentation around Napoca hosts to limit lateral movement if a guest escape occurs

No configuration-based mitigation is published by the vendor. See the Bitdefender Security Advisory for guidance.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.