CVE-2026-10047 Overview
CVE-2026-10047 is an out-of-bounds write vulnerability in the Bitdefender Napoca bare-metal hypervisor. The flaw resides in the real-mode hook handler implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without performing bounds validation. A guest setting SS=0xFFFF and ESP=0xFFFF produces a computed offset of 0x10FFEF, exceeding the buffer by 65,519 bytes. The resulting IRET frame push writes past the buffer end into the hypervisor heap. The product is end-of-life and unsupported as of the assignment date, meaning no vendor fix will be issued.
Critical Impact
A local guest with low privileges can corrupt hypervisor heap memory, enabling escape from guest isolation and compromise of the underlying bare-metal hypervisor.
Affected Products
- Bitdefender Napoca bare-metal hypervisor (end-of-life, unsupported)
- Component: napoca/kernel/handler.c real-mode hook handler
- Internal RealModeMemory 1MB buffer region
Discovery Timeline
- 2026-06-02 - CVE-2026-10047 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-10047
Vulnerability Analysis
The Napoca hypervisor implements a real-mode hook handler to manage guest transitions through legacy real-mode execution. During hook processing, the handler computes a target offset inside a 1MB RealModeMemory buffer using the guest's stack segment and stack pointer registers (SS:SP). Because the handler trusts these guest-controlled values, an attacker executing inside a guest can manipulate the segment and pointer to produce an offset that lies outside the allocated buffer. The handler then pushes an IRET frame at that offset, writing controlled data into adjacent hypervisor heap memory. This corruption affects structures that the hypervisor itself depends on for integrity and control-flow management. The weakness is classified as [CWE-787] Out-of-Bounds Write.
Root Cause
The root cause is missing bounds validation on a guest-supplied index. The handler calculates the write destination from SS << 4 + SP and uses the result directly as a buffer index. With SS=0xFFFF and ESP=0xFFFF, the calculation yields 0x10FFEF, which exceeds the 1MB (0x100000) RealModeMemory allocation by 65,519 bytes. No clamp, mask, or range check constrains the offset before the write occurs.
Attack Vector
Exploitation requires local access from within a guest running on the Napoca hypervisor with low-level privilege sufficient to control segment and stack registers. The attacker programs SS and ESP to malicious values and triggers the real-mode hook path that performs the IRET frame push. The hypervisor then writes guest-controlled IRET frame data into out-of-bounds heap memory. By choosing the offset carefully, an attacker can corrupt selected heap objects to escalate from guest to hypervisor context. No user interaction is required.
No verified public proof-of-concept code is available. Refer to the Bitdefender Security Advisory for technical details.
Detection Methods for CVE-2026-10047
Indicators of Compromise
- Unexpected hypervisor crashes, hangs, or reboots originating during guest real-mode transitions.
- Heap integrity faults or assertion failures logged by the Napoca hypervisor kernel.
- Guest workloads exhibiting anomalous segment register values such as SS=0xFFFF combined with ESP values near 0xFFFF immediately before host instability.
Detection Strategies
- Audit hypervisor logs for real-mode hook handler errors and irregular IRET frame events.
- Capture and review guest CPU state snapshots that trigger host-side exception handlers.
- Correlate guest privileged register manipulation with subsequent host memory faults to identify exploitation attempts.
Monitoring Recommendations
- Forward Napoca host logs to a centralized SIEM and alert on hypervisor kernel exceptions.
- Monitor for unplanned host resets on systems still running the end-of-life Napoca hypervisor.
- Track guest creation and configuration changes that could enable a tenant to execute crafted real-mode code paths.
How to Mitigate CVE-2026-10047
Immediate Actions Required
- Inventory all systems running the Bitdefender Napoca bare-metal hypervisor and flag them as end-of-life.
- Migrate guest workloads off Napoca to a vendor-supported hypervisor platform that receives security updates.
- Restrict administrative access to guest configuration and limit which tenants can run untrusted workloads on affected hosts.
Patch Information
No patch is available. Bitdefender lists the Napoca hypervisor as end-of-life and unsupported as of the CVE assignment date. See the Bitdefender Security Advisory for the vendor statement.
Workarounds
- Decommission Napoca deployments and replace them with a supported hypervisor.
- Where decommissioning is not immediately feasible, run only trusted guests under tight administrative control and isolate affected hosts from multi-tenant environments.
- Apply network segmentation around hosts running Napoca to limit blast radius if a guest escape occurs.
# Identify hosts still running Napoca for migration planning
# Replace <host> with the management endpoint for each candidate system
ssh <host> "uname -a; dmesg | grep -i napoca"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

