Description
XiangShan (open-source high-performance RISC-V processor) commit edb1dfaf7d290ae99724594507dc46c2c2125384 (2024-11-28) has improper gating of its distributed CSR write-enable path, allowing illegal CSR write attempts to alter custom PMA (Physical Memory Attribute) CSR state. Though the RISC-V privileged specification requires an illegal-instruction exception for non-existent/illegal CSR accesses, affected XiangShan versions may still propagate such writes to replicated PMA configuration state. Local attackers able to execute code on the core (privilege context depends on system integration) can exploit this to tamper with memory-attribute enforcement, potentially leading to privilege escalation, information disclosure, or denial of service depending on how PMA enforces platform security and isolation boundaries.
Published: 2026-04-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the XiangShan open‑source RISC‑V processor. An improper gating of the distributed CSR write‑enable path allows illegal write attempts to alter the Physical Memory Attribute (PMA) CSR state. The RISC‑V privileged specification requires an illegal‑instruction exception when a non‑existent or illegal CSR is accessed, but affected XiangShan versions propagate these writes to replicated PMA configuration. The ability to tamper with memory‑attribute enforcement can lead to privilege escalation, information disclosure, or denial of service, depending on how PMAs enforce platform security and isolation boundaries.

Affected Systems

Affected hosts are all systems that implement the XiangShan processor and rely on its default PMA configuration. Versions containing the commit edb1dfaf7d290ae99724594507dc46c2c2125384 are impacted; newer releases that incorporate the fix are not affected. No other vendors are implicated.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS is not available and the vulnerability is not listed in KEV. The attack vector is local – an attacker must already have the ability to execute code on the core. Based on the description, it is inferred that the attacker can write to privileged CSRs that control memory attributes, thereby manipulating PMA settings. This can undermine isolation guarantees and elevate privileges, with the exact impact depending on the platform’s security configuration.

Generated by OpenCVE AI on April 22, 2026 at 07:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update XiangShan to a firmware version that omits commit edb1dfaf7d290ae99724594507dc46c2c2125384 or reverts to a pre‑vulnerable state.
  • Enforce strict access control on CSR writes, limiting non‑privileged code from accessing CA‑controlled CSRs to address the underlying CWE‑284.
  • Configure PMP protections to restrict write access to critical memory attribute registers and enable monitoring for unauthorized PMA modifications.

Generated by OpenCVE AI on April 22, 2026 at 07:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Title Improper CSR Write Gating Enables Unauthorized PMA Modification in XiangShan RISC‑V Processor

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Openxiangshan
Openxiangshan xiangshan
Vendors & Products Openxiangshan
Openxiangshan xiangshan

Tue, 21 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description XiangShan (open-source high-performance RISC-V processor) commit edb1dfaf7d290ae99724594507dc46c2c2125384 (2024-11-28) has improper gating of its distributed CSR write-enable path, allowing illegal CSR write attempts to alter custom PMA (Physical Memory Attribute) CSR state. Though the RISC-V privileged specification requires an illegal-instruction exception for non-existent/illegal CSR accesses, affected XiangShan versions may still propagate such writes to replicated PMA configuration state. Local attackers able to execute code on the core (privilege context depends on system integration) can exploit this to tamper with memory-attribute enforcement, potentially leading to privilege escalation, information disclosure, or denial of service depending on how PMA enforces platform security and isolation boundaries.
References

Subscriptions

Openxiangshan Xiangshan
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-21T17:59:06.506Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29644

cve-icon Vulnrichment

Updated: 2026-04-21T17:51:18.870Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T15:16:36.090

Modified: 2026-04-21T18:16:34.467

Link: CVE-2026-29644

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T07:30:11Z

Weaknesses