Description
NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector (RVV) decoder. The decoder does not correctly validate the funct3 field when decoding vsetvli/vsetivli/vsetvl, allowing certain invalid OP-V instruction encodings to be misinterpreted and executed as vset* configuration instructions rather than raising an illegal-instruction exception. This can be exploited by providing crafted RISC-V binaries to cause incorrect trap behavior, architectural state corruption/divergence, and potential denial of service in systems that rely on NEMU for correct execution or sandboxing.
Published: 2026-04-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and state corruption
Action: Patch
AI Analysis

Impact

NEMU (OpenXiangShan/NEMU) before release v2025.12.r2 contains an improper instruction‑validation flaw in its RISC‑V Vector (RVV) decoder. The decoder fails to validate the funct3 field when decoding the vsetvli/vsetivli/vsetvl instructions, allowing certain malformed OP‑V instruction encodings to be interpreted as vset* configuration instructions instead of raising an illegal‑instruction exception. This misinterpretation permits the execution of unintended vector setting code, which can corrupt architectural state, trigger incorrect trap handling and lead to a crash or denial of service.

Affected Systems

The vulnerability affects NEMU (OpenXiangShan/NEMU) versions older than v2025.12.r2. No vendor identification beyond the NEMU project is available, and the flaw applies to all installations of the affected emulator that use the RVV decoder.

Risk and Exploitability

The CVSS score of 7.5 and an EPSS score of <1% indicate noteworthy severity but low probability of exploitation; the vulnerability is not listed in CISA KEV. Nevertheless, the flaw allows a maliciously crafted RISC‑V binary to be supplied to NEMU, which can then be executed and cause state corruption or a denial of service. The attack vector is likely local exploitation via controlled input to NEMU, but systems that expose NEMU as a service could be vulnerable to remote abuse. Given the potential for complete loss of emulator reliability, the risk is considered high, and prompt remediation is advised.

Generated by OpenCVE AI on April 22, 2026 at 07:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to NEMU v2025.12.r2 or any later release where the RVV decoder bug is fixed.
  • If an immediate upgrade is not possible, isolate NEMU from untrusted binaries, and pre‑validate or sanitize input to ensure only legal RVV encodings reach the decoder.
  • Monitor emulator log output for abnormal state changes or crashes, and consider disabling the vector extension in NEMU configuration if vector instructions are not required.

Generated by OpenCVE AI on April 22, 2026 at 07:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Openxiangshan
Openxiangshan nemu
Vendors & Products Openxiangshan
Openxiangshan nemu

Fri, 24 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Xiangshan
Xiangshan nemu
CPEs cpe:2.3:a:xiangshan:nemu:2025.12:r1:*:*:*:*:*:*
Vendors & Products Xiangshan
Xiangshan nemu

Wed, 22 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Title Instruction Validation Flaw in NEMU's RISC-V Vector Decoder Allows Misinterpretation of Invalid Encodings
Weaknesses CWE-20

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1287
CWE-131
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Title Instruction Validation Flaw in NEMU's RISC-V Vector Decoder Allows Misinterpretation of Invalid Encodings
Weaknesses CWE-20

Mon, 20 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector (RVV) decoder. The decoder does not correctly validate the funct3 field when decoding vsetvli/vsetivli/vsetvl, allowing certain invalid OP-V instruction encodings to be misinterpreted and executed as vset* configuration instructions rather than raising an illegal-instruction exception. This can be exploited by providing crafted RISC-V binaries to cause incorrect trap behavior, architectural state corruption/divergence, and potential denial of service in systems that rely on NEMU for correct execution or sandboxing.
References

Subscriptions

Openxiangshan Nemu
Xiangshan Nemu
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-21T19:51:06.424Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29645

cve-icon Vulnrichment

Updated: 2026-04-21T13:32:16.123Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-20T20:16:48.303

Modified: 2026-04-24T19:25:35.653

Link: CVE-2026-29645

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:26:47Z

Weaknesses