CVE-2026-29642 - Vulnerability Details

- Privileged CSR Access Enables Corruption of Reserved Bits in XiangShan Status Register

Description

A local attacker who can execute privileged CSR operations (or can induce firmware to do so) performs carefully crafted reads/writes to menvcfg (e.g., csrrs in M-mode). On affected XiangShan versions (commit aecf601e803bfd2371667a3fb60bfcd83c333027, 2024-11-19), these menvcfg accesses can unexpectedly set WPRI (reserved) bits in the status view (xstatus) to 1. RISC-V defines WPRI fields as "writes preserve values, reads ignore values," i.e., they must not be modified by software manipulating other fields, and menvcfg itself contains multiple WPRI fields.

Published: 2026-04-20

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A local attacker who can execute privileged CSR operations on a XiangShan processor may carefully read and write the menvcfg register to set reserved bits in the machine status view. This manipulation violates the RISC‑V WPRI rule, which requires software to leave reserved bits unchanged. The resulting corruption of the status register can alter privilege levels, bypass security checks, or destabilise the processor, potentially leading to privilege escalation or denial of service. The vulnerability is therefore an internal flaw that requires local, privileged code execution.

Affected Systems

XiangShan firmware (OpenXiangShan) versions based on commit aecf601e803bfd2371667a3fb60bfcd83c333027 released 2024‑11‑19 are affected. No other vendors or products are listed as impacted.

Risk and Exploitability

Because the exploit requires privileged CSR access, it is a local attack that normally implies root or firmware‑level control. No EPSS score or KEV listing is available, and a CVSS score is not provided, so the exact severity cannot be quantified. However, the ability to corrupt reserved status bits suggests a high risk for the affected system: an adversary with the necessary privileges could gain additional privileges, disrupt correct operation, or cause a system crash. The attack path is straightforward: obtain privileged CSR access, read or write menvcfg, and set the reserved bits in xstatus, thereby violating the intended hardware semantics.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Openxiangshan

Xiangshan

90%

Version	Status	Scheme	Platform
`aecf601e803bfd2371667a3fb60bfcd83c333027`	affected	code_commit	—
`5e3dd63`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update XiangShan firmware to a version that includes the commit 5e3dd63 or later to correct the menvcfg handling.
Restrict execution of privileged CSR operations to only those processes that absolutely require them, and audit the firmware to eliminate unnecessary menvcfg writes.
Implement runtime monitoring for writes to menvcfg or the status register so that unexpected modifications trigger an alert or safety‑mechanism.

Generated by OpenCVE AI on April 21, 2026 at 00:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://docs.riscv.org/reference/isa/priv/machine.html
https://docs.riscv.org/reference/isa/priv/priv-csrs.html
https://github.com/OpenXiangShan/XiangShan/commit/5e3dd63
https://github.com/OpenXiangShan/XiangShan/issues/3934

History

Tue, 21 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openxiangshan Openxiangshan xiangshan
Vendors & Products		Openxiangshan Openxiangshan xiangshan

Tue, 21 Apr 2026 00:30:00 +0000

Type	Values Removed	Values Added
Title		Privileged CSR Access Enables Corruption of Reserved Bits in XiangShan Status Register
Weaknesses		CWE-682

Mon, 20 Apr 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		A local attacker who can execute privileged CSR operations (or can induce firmware to do so) performs carefully crafted reads/writes to menvcfg (e.g., csrrs in M-mode). On affected XiangShan versions (commit aecf601e803bfd2371667a3fb60bfcd83c333027, 2024-11-19), these menvcfg accesses can unexpectedly set WPRI (reserved) bits in the status view (xstatus) to 1. RISC-V defines WPRI fields as "writes preserve values, reads ignore values," i.e., they must not be modified by software manipulating other fields, and menvcfg itself contains multiple WPRI fields.
References		https://docs.riscv.org/reference/isa/priv/machine.html https://docs.riscv.org/reference/isa/priv/priv-csrs.html https://github.com/OpenXiangShan/XiangShan/commit/5e3dd63 https://github.com/OpenXiangShan/XiangShan/issues/3934

Subscriptions

Openxiangshan Xiangshan

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-20T00:00:00.000Z

Updated: 2026-04-20T20:30:19.577Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29642

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-20T21:16:19.393

Modified: 2026-04-20T21:16:19.393

Link: CVE-2026-29642

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T01:00:12Z

Weaknesses

CWE-682

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object