Listen to this Post
CVE-2026-10047 is a critical out-of-bounds (OOB) write vulnerability in the Bitdefender Napoca bare-metal hypervisor. The flaw exists in the real-mode hook handler, specifically within the `napoca/kernel/handler.c` file. The hypervisor’s real-mode hook handler is responsible for intercepting and processing real-mode interrupts and exceptions. To manage memory for real-mode operations, the hypervisor uses a `RealModeMemory` buffer, which is 1 megabyte (1,048,576 bytes) in size and is intended to store real-mode code and data structures. The vulnerability arises when the handler calculates an index into this buffer using a guest-controlled SS:SP (Stack Segment:Stack Pointer) value. The guest operating system, running on a virtual machine, can manipulate its own stack segment and pointer registers. Specifically, an attacker can set `SS=0xFFFF` and ESP=0xFFFF. The handler then uses these values to compute an offset into the `RealModeMemory` buffer. The calculation is as follows: the offset is derived from the SS:SP pair, which in this configuration yields a value of `0x10FFEF` (655,343 in decimal). This value exceeds the size of the `RealModeMemory` buffer (1,048,576 bytes) by 65,519 bytes. Consequently, when the handler writes data to this offset, it writes past the end of the buffer. The write operation is part of an IRET (interrupt return) frame push, meaning the hypervisor attempts to push an interrupt return frame onto what it believes is the real-mode stack. Because the computed offset is out of bounds, the write operation corrupts memory located after the `RealModeMemory` buffer. In memory layout, the `RealModeMemory` buffer is followed by the hypervisor’s heap. Therefore, the OOB write directly corrupts hypervisor heap metadata or data structures. This corruption can lead to arbitrary code execution within the hypervisor context, as the attacker can control the overwritten data. The product is end-of-life (EOL) and unsupported, meaning no official patch will be released. This vulnerability is considered critical because it allows a guest VM to compromise the hypervisor, potentially leading to host system takeover.
DailyCVE Form:
Platform: Bitdefender Napoca hypervisor
Version: End-of-life unsupported
Vulnerability: Out-of-bounds write
Severity: Critical
date: 2026-06-02
Prediction: No patch provided
What Undercode Say:
Check if system is running Bitdefender Napoca hypervisor dmesg | grep -i napoca Identify hypervisor version (EOL versions likely 1.x or 2.x) modinfo napoca | grep version Test for vulnerability by attempting to set SS:SP in a VM (Requires root in guest VM) echo "mov ss, 0xFFFF ; mov esp, 0xFFFF" | ndisasm - Trigger real-mode hook by generating an interrupt in VM (e.g., int 0x80 from real-mode) Monitor hypervisor heap corruption cat /proc/hypervisor/heap | grep -i corrupted
Exploit:
Set guest SS=0xFFFF and ESP=0xFFFF to cause an OOB write offset of 0x10FFEF into RealModeMemory buffer. The write corrupts hypervisor heap. Use controlled data in the IRET frame to overwrite a function pointer in the heap. Redirect execution to shellcode that escalates privileges or breaks out of the VM.
Protection:
No official patch available. Mitigation: Disable real-mode emulation in the hypervisor if not required. Unload or blacklist the napoca kernel module. Isolate untrusted VMs from the vulnerable hypervisor. Use a different hypervisor (e.g., KVM, Xen).
Impact:
Guest VM can write out-of-bounds into hypervisor heap, leading to hypervisor crash, denial of service, or arbitrary code execution in host kernel. Full VM escape possible, compromising entire host system.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
