Bitdefender Napoca Out-of-Bounds Write Vulnerability in Real-Mode Hook Handler

An out-of-bounds write vulnerability has been identified in the Bitdefender Napoca bare-metal hypervisor. This issue arises in the real-mode hook handler, where a guest-controlled SS:SP-derived offset is used to index into the 1MB RealModeMemory buffer without proper bounds validation. With specific values for SS and ESP, the offset can exceed the buffer limit, allowing the IRET frame push to write into the hypervisor heap. This vulnerability is present in a product that is end-of-life and no longer supported.

Impact

Exploitation of this vulnerability allows for an out-of-bounds write, where data can be written past the end of the RealModeMemory buffer into the hypervisor heap. This type of vulnerability can potentially be exploited to manipulate memory in a way that leads to arbitrary code execution or other malicious outcomes.

Remediation

No fix is planned for this vulnerability, as Bitdefender Napoca is no longer supported. Users are advised to discontinue use of the product.