CVE-2026-29646 - Vulnerability Details

- Privilege Escalation and Denial of Service in OpenXiangShan NEMU Hypervisor Mode via Incorrect CSR Handling

Description

In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor interrupt-enable CSR (sie) may be handled incorrectly and can influence machine-level interrupt enable state (mie). This breaks privilege/virtualization isolation and can lead to denial of service or privilege-boundary violation in environments relying on NEMU for correct interrupt virtualization.

Published: 2026-04-20

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in OpenXiangShan NEMU occurs when a guest running in VS-mode writes to the supervisor interrupt‑enable CSR (sie) while the hypervisor extension (RVH) is enabled. The write is handled incorrectly and can modify the machine‑level interrupt enable register (mie). This flaw breaks the isolation between privilege layers and can let a guest influence host‑level interrupt handling. The result can be a denial of service or a breach of the privilege boundary expected by virtualization environments. The weakness is an improper enforcement of privilege boundaries, corresponding to access‑control failures.

Affected Systems

Affected systems are installations of OpenXiangShan NEMU built before the commit 55295c4. Any emulator run with RVH (hypervisor extension) enabled and that has not applied the patch from pull request 938 is vulnerable. No specific vendor or product list is provided beyond the NEMU emulator.

Risk and Exploitability

The EPSS score for this issue is not available and it is not listed in the CISA KEV catalog, indicating no known public exploits. The vulnerability is most likely exploitable only inside the emulator, requiring local control of a guest operating system and the ability to issue writes to sie. Because the flaw allows a guest to change host interrupt state, the potential impact is significant in environments where NEMU is used for isolation or virtual‑machine hosting. Without a public exploit and given the limited attack surface, the overall risk is moderate to high for environments that rely on NEMU for trusted virtualization.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OpenXiangShan NEMU to a build that includes the patch from commit 55295c4 or later.
If an upgrade cannot be performed immediately, disable the hypervisor extension (RVH) or run the emulator without hypervisor mode to avoid the vulnerable code path.
After applying an update or disabling RVH, verify that writes to sie no longer affect mie by performing isolated accessibility tests before deploying to production.

Generated by OpenCVE AI on April 21, 2026 at 00:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://docs.riscv.org/reference/isa/priv/hypervisor.html
https://docs.riscv.org/reference/isa/priv/machine.html
https://docs.riscv.org/reference/isa/priv/supervisor.html
https://docs.riscv.org/reference/isa/unpriv/zicsr.html
https://github.com/OpenXiangShan/NEMU/issues/951
https://github.com/OpenXiangShan/NEMU/pull/938
https://github.com/OpenXiangShan/NEMU/pull/938/commits/55295c46580456d8d5a9d5736e1fda924b8825ab

History

Tue, 21 Apr 2026 00:30:00 +0000

Type	Values Removed	Values Added
Title		Privilege Escalation and Denial of Service in OpenXiangShan NEMU Hypervisor Mode via Incorrect CSR Handling
Weaknesses		CWE-250 CWE-284

Mon, 20 Apr 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor interrupt-enable CSR (sie) may be handled incorrectly and can influence machine-level interrupt enable state (mie). This breaks privilege/virtualization isolation and can lead to denial of service or privilege-boundary violation in environments relying on NEMU for correct interrupt virtualization.
References		https://docs.riscv.org/reference/isa/priv/hypervisor.html https://docs.riscv.org/reference/isa/priv/machine.html https://docs.riscv.org/reference/isa/priv/supervisor.html https://docs.riscv.org/reference/isa/unpriv/zicsr.html https://github.com/OpenXiangShan/NEMU/issues/951 https://github.com/OpenXiangShan/NEMU/pull/938 https://github.com/OpenXiangShan/NEMU/pull/938/commits/55295c46580456d8d5a9d5736e1fda924b8825ab

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-20T00:00:00.000Z

Updated: 2026-04-20T20:39:23.730Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29646

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-20T21:16:19.503

Modified: 2026-04-20T21:16:19.503

Link: CVE-2026-29646

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T00:15:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object