CVE-2026-29647 - Vulnerability Details

- OpenXiangShan NEMU Cross-Context IMSIC State Leakage

Description

In OpenXiangShan NEMU, insufficient Smstateen permission enforcement allows lower-privileged code to access IMSIC state via stopei/vstopei CSRs even when mstateen0.IMSIC is cleared, potentially enabling cross-context information leakage or disruption of interrupt handling.

Published: 2026-04-20

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability stems from an insufficient enforcement of Smstateen permission checks in OpenXiangShan NEMU. When the mstateen0.IMSIC bit is cleared, lower‑privileged code can still read the IMSIC state through the stopei and vstopei CSRs, enabling an attacker to gather information about other contexts’ interrupt states or to interfere with interrupt handling, thereby compromising both confidentiality and availability.

Affected Systems

OpenXiangShan NEMU emulates RISC‑V ISA and implements the Smstateen mechanism to guard access to privileged CSRs. The flaw exists in any NEMU build that uses the described SMstateen check without the fix; no version range is specified in the CNA data, so all current releases that implement the unpatched logic are potentially affected.

Risk and Exploitability

The CVSS score is 6.5, reflecting moderate severity. The EPSS score is less than 1%, indicating a low probability of exploitation. Because the flaw requires an attacker to run low‑privileged code that can access the stopei/vstopei CSRs, it is typically a local privilege escalation scenario. When leveraged, the vulnerability can leak cross‑context interrupt state information or disrupt interrupt handling, compromising confidentiality and availability in multi‑context emulator environments. The vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed exploitation yet, but the potential impact warrants careful mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Openxiangshan

Nemu

80%

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest NEMU release that includes the Smstateen permission check patch as indicated in the upstream pull request
If a patched version cannot be obtained, modify the emulator to enforce that stopei and vstopei CSRs are only executable when the mstateen0.IMSIC bit is set, effectively rejecting access from lower‑privileged contexts
Where possible, disable IMSIC functionality or partition it per virtual context to prevent cross‑context data exposure, and restrict untrusted code from accessing privileged CSR space

Generated by OpenCVE AI on April 22, 2026 at 07:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://docs.riscv.org/reference/isa/priv/smstateen.html#state-enable-0-registers
https://github.com/OpenXiangShan/NEMU/issues/691
https://github.com/OpenXiangShan/XiangShan/pull/3978

History

Tue, 28 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openxiangshan Openxiangshan nemu
Vendors & Products		Openxiangshan Openxiangshan nemu

Wed, 22 Apr 2026 08:00:00 +0000

Type	Values Removed	Values Added
Title		OpenXiangShan NEMU Cross-Context IMSIC State Leakage

Wed, 22 Apr 2026 06:15:00 +0000

Type	Values Removed	Values Added
Title	Privilege Escalation via Unprotected Stopei CSRs in OpenXiangShan NEMU
Weaknesses	CWE-200 CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-269
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 21 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Title		Privilege Escalation via Unprotected Stopei CSRs in OpenXiangShan NEMU
Weaknesses		CWE-200 CWE-284

Mon, 20 Apr 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		In OpenXiangShan NEMU, insufficient Smstateen permission enforcement allows lower-privileged code to access IMSIC state via stopei/vstopei CSRs even when mstateen0.IMSIC is cleared, potentially enabling cross-context information leakage or disruption of interrupt handling.
References		https://docs.riscv.org/reference/isa/priv/smstateen.html#state-enable-0-registers https://github.com/OpenXiangShan/NEMU/issues/691 https://github.com/OpenXiangShan/XiangShan/pull/3978

Subscriptions

Openxiangshan Nemu

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-20T00:00:00.000Z

Updated: 2026-04-21T19:50:43.685Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29647

Vulnrichment

Updated: 2026-04-21T18:25:27.685Z

NVD

Status : Deferred

Published: 2026-04-20T21:16:19.637

Modified: 2026-04-21T20:16:40.723

Link: CVE-2026-29647

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T09:26:44Z

Weaknesses

CWE-269

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object