Description
In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor interrupt-enable CSR (sie) may be handled incorrectly and can influence machine-level interrupt enable state (mie). This breaks privilege/virtualization isolation and can lead to denial of service or privilege-boundary violation in environments relying on NEMU for correct interrupt virtualization.
Published: 2026-04-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation and Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability in OpenXiangShan NEMU occurs when a guest operating system running in VS‑mode writes to the supervisor interrupt‑enable CSR (sie) while the hypervisor extension (RVH) is enabled. The write is handled incorrectly and can modify the machine‑level interrupt enable register (mie), breaking the isolation between privilege layers. An attacker who can control a guest can therefore influence host interrupt handling, potentially leading to a denial of service or to a breach of the privileged boundary. The flaw is an improper enforcement of privilege boundaries (CWE‑267).

Affected Systems

All OpenXiangShan NEMU builds executed before commit 55295c4 and run with RVH enabled are vulnerable. The issue exists on any installation that has not incorporated the patch from pull request 938. No other vendor or product variants are identified.

Risk and Exploitability

The CVSS score of 9.8 indicates a high severity threat. The EPSS score of less than 1% and the absence from the CISA KEV catalog suggest that public exploitation is unlikely at present, but the vulnerability, associated with CWE‑267, remains actionable in environments that rely on NEMU for isolation. Exploitation requires local control of a VS‑mode guest, so the attack surface is limited to systems that host NEMU. Because the impact can cause a denial of service or privilege escalation, the overall risk is moderate to high for those systems.

Generated by OpenCVE AI on April 22, 2026 at 08:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenXiangShan NEMU to a build containing commit 55295c4 or later.
  • Disable the hypervisor extension (RVH) or run the emulator without hypervisor mode to exclude the vulnerable path.
  • Until an official upgrade is available, isolate the NEMU environment from critical workloads and monitor for unexpected changes to machine‑level interrupt registers.

Generated by OpenCVE AI on April 22, 2026 at 08:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Openxiangshan
Openxiangshan nemu
Vendors & Products Openxiangshan
Openxiangshan nemu

Wed, 22 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Title Privilege and Virtualization Isolation Breach in OpenXiangShan NEMU

Wed, 22 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation and Denial of Service in OpenXiangShan NEMU Hypervisor Mode via Incorrect CSR Handling
Weaknesses CWE-250
CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-267
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
Title Privilege Escalation and Denial of Service in OpenXiangShan NEMU Hypervisor Mode via Incorrect CSR Handling
Weaknesses CWE-250
CWE-284

Mon, 20 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor interrupt-enable CSR (sie) may be handled incorrectly and can influence machine-level interrupt enable state (mie). This breaks privilege/virtualization isolation and can lead to denial of service or privilege-boundary violation in environments relying on NEMU for correct interrupt virtualization.
References

Subscriptions

Openxiangshan Nemu
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-21T19:50:49.314Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29646

cve-icon Vulnrichment

Updated: 2026-04-21T13:53:31.976Z

cve-icon NVD

Status : Deferred

Published: 2026-04-20T21:16:19.503

Modified: 2026-04-21T20:16:40.557

Link: CVE-2026-29646

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:26:45Z

Weaknesses