Description
In OpenXiangShan NEMU, when Smstateen is enabled, clearing mstateen0.ENVCFG does not correctly restrict access to henvcfg and senvcfg. As a result, less-privileged code may read or write these CSRs without the required exception, potentially bypassing intended state-enable based isolation controls in virtualized or multi-privilege environments.
Published: 2026-04-20
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

In OpenXiangShan NEMU, enabling Smstateen allows less‑privileged code to read or write the henvcfg and senvcfg CSRs because clearing mstateen0.ENVCFG does not enforce the expected exception. This bypasses isolation controls in virtualized or multi‑privilege environments, giving attackers elevated privileges over sensitive state registers.

Affected Systems

OpenXiangShan NEMU is affected. No version information is specified.

Risk and Exploitability

The vulnerability is a privilege escalation flaw exposing privileged CSRs to code that should be denied. The EPSS score is not available and the vulnerability is not listed in CISA KEV, but because it enables unauthorized register access, any user with a lower privilege level in the virtual machine could exploit it. The attack vector appears to be local within the emulated environment, but could be leveraged by an attacker who can inject code into the NEMU instance. No CVSS score is provided.

Generated by OpenCVE AI on April 21, 2026 at 00:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the latest NEMU release notes for a fix to the Smstateen handling bug; apply the update if available.
  • If updating is not immediately possible, disable Smstateen by setting the corresponding CSR bit to avoid the bug.
  • Verify that lower‑privileged code cannot access henvcfg or senvcfg after applying any change; consider monitoring access to these CSRs.

Generated by OpenCVE AI on April 21, 2026 at 00:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Improper CSR Access Control in OpenXiangShan NEMU
Weaknesses CWE-284

Mon, 20 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description In OpenXiangShan NEMU, when Smstateen is enabled, clearing mstateen0.ENVCFG does not correctly restrict access to henvcfg and senvcfg. As a result, less-privileged code may read or write these CSRs without the required exception, potentially bypassing intended state-enable based isolation controls in virtualized or multi-privilege environments.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-20T20:07:13.590Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29648

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T21:16:19.733

Modified: 2026-04-20T21:16:19.733

Link: CVE-2026-29648

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:15:16Z

Weaknesses