Napoca Bare Metal Hypervisor
Approved changes feed: RSS · Atom
cpe:2.3:a:bitdefender:napoca_bare-metal_hypervisor:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Bitdefender (d5582d91-5be9-5b61-8324-642705c220ed) |
|---|---|
| Product | Napoca Bare Metal Hypervisor (878314a0-118f-5297-b4c1-84a3b9dc512e) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-10047 |
vulnerable | 2026-06-03 15:14:43.361649 |
Out-of-bounds write in Napoca real-mode hook handler via guest-controlled SS:SP (VA-13905)
The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without bounds validation. With SS=0xFFFF and ESP=0xFFFF, the computed offset can reach 0x10FFEF, exceeding the RealModeMemory buffer by 65,519 bytes. The IRET frame push can therefore write past the end of the buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.
Published: 2026-06-02T14:17:15.279Z
Updated: 2026-06-02T16:06:55.065Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-10046 |
vulnerable | 2026-06-03 15:14:43.358520 |
Out-of-bounds write in Napoca BIOS INT 0x15 E820 memory map handler (VA-13905)
Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the BIOS INT 0x15 / E820 memory map handler, implemented in napoca/guests/bios_handlers.c. The handler computes a destination offset into the guest RealModeMemory buffer from guest-controlled ES and EDI register values without validating that the resulting address remains within the 1MB RealModeMemory allocation. A malicious guest operating in real mode can trigger the issue by invoking INT 0x15 with AX=0xE820, EDX=0x534D4150, ECX greater than or equal to 20, EBX=0, ES=0xFFFF, and EDI=0xFFFF. This can cause a write of up to 20 bytes past the end of the RealModeMemory buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.
Published: 2026-06-02T14:16:21.927Z
Updated: 2026-06-02T16:06:21.781Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.