Description
NEMU contains an implementation flaw in its RISC-V Hypervisor CSR handling where henvcfg[7:4] (CBIE/CBCFE/CBZE-related fields) is incorrectly masked/updated based on menvcfg[7:4], so a machine-mode write to menvcfg can implicitly modify the hypervisor's environment configuration. This can lead to incorrect enforcement of virtualization configuration and may cause unexpected traps or denial of service when executing cache-block management instructions in virtualized contexts (V=1).
Published: 2026-04-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

NEMU’s RISC‑V hypervisor contains an implementation flaw where the hypervisor configuration CSR fields henvcfg[7:4] are inappropriately masked and updated based on the machine‑mode configuration CSR menvcfg[7:4]. A write to menvcfg from machine mode implicitly changes the hypervisor’s environment configuration. This misconfiguration can cause the hypervisor to enforce incorrect virtualization settings, potentially triggering unexpected traps or resulting in a denial of service when executing cache‑block management instructions in a virtualised context (V=1). The vulnerability allows a privileged attacker to influence hypervisor behaviour without direct hypervisor accesses, compromising availability.

Affected Systems

The flaw exists in the NEMU RISC‑V emulator. No specific version list is provided, so all instances of NEMU that employ the hypervisor CSR handling described are potentially affected. Because the vulnerability originates from the emulator’s core implementation, any build or fork that has not incorporated the recent fix is at risk.

Risk and Exploitability

The EPSS score is <1%, the CVSS score is 9.8, and the vulnerability is not listed in the CISA KEV catalog, indicating a high severity with low probability of exploitation. Based on the description, the likely attack vector involves a machine‑mode write operation that inadvertently alters hypervisor settings; such an attack would require access to a process with machine‑mode privileges or the ability to run arbitrary code within the emulator. The vulnerability could be exploited to cause denial of service or misconfigure virtual machines, impacting integrity of the hypervisor environment.

Generated by OpenCVE AI on April 22, 2026 at 08:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NEMU to the most recent release that incorporates the patch from GitHub PR #689
  • If upgrading is not immediately possible, restrict or disable machine‑mode writes to menvcfg in the hypervisor configuration, or apply custom tooling to detect and prevent unintended CSRs updates
  • Implement validation checks that enforce consistency between henvcfg[7:4] and menvcfg[7:4] whenever either CSR is written
  • Monitor the emulator for unexpected cache‑block management instruction failures or traps, and configure alerts for sudden service interruptions

Generated by OpenCVE AI on April 22, 2026 at 08:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Openxiangshan
Openxiangshan nemu
Vendors & Products Openxiangshan
Openxiangshan nemu

Fri, 24 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Xiangshan
Xiangshan nemu
CPEs cpe:2.3:a:xiangshan:nemu:-:*:*:*:*:*:*:*
Vendors & Products Xiangshan
Xiangshan nemu

Wed, 22 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Title RISC‑V Hypervisor Unauthorized Configuration Modification Causing Denial of Service

Wed, 22 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Title RISC‑V Hypervisor Unauthorized Configuration Modification Causing Denial of Service
Weaknesses CWE-269
CWE-284

Wed, 22 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Title Vulnerability in NEMU RISC‑V Hypervisor CSR Handling Allows Implicit Modification of Hypervisor Configuration Leading to Denial of Service

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Title Vulnerability in NEMU RISC‑V Hypervisor CSR Handling Allows Implicit Modification of Hypervisor Configuration Leading to Denial of Service
Weaknesses CWE-269
CWE-284

Mon, 20 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description NEMU contains an implementation flaw in its RISC-V Hypervisor CSR handling where henvcfg[7:4] (CBIE/CBCFE/CBZE-related fields) is incorrectly masked/updated based on menvcfg[7:4], so a machine-mode write to menvcfg can implicitly modify the hypervisor's environment configuration. This can lead to incorrect enforcement of virtualization configuration and may cause unexpected traps or denial of service when executing cache-block management instructions in virtualized contexts (V=1).
References

Subscriptions

Openxiangshan Nemu
Xiangshan Nemu
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-21T19:51:00.279Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29649

cve-icon Vulnrichment

Updated: 2026-04-21T13:49:49.167Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-20T20:16:48.410

Modified: 2026-04-24T19:23:46.560

Link: CVE-2026-29649

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:26:46Z

Weaknesses