Skip to main content

OpenXiangShan NEMU CVE-2026-29646

| EUVDEUVD-2026-23958 CRITICAL
Privilege Defined With Unsafe Actions (CWE-267)
2026-04-20 mitre GHSA-729m-5x6m-wwxv
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 21, 2026 - 20:23 vuln.today
CVSS changed
Apr 21, 2026 - 20:22 NVD
9.8 (CRITICAL)
EUVD ID Assigned
Apr 20, 2026 - 21:15 euvd
EUVD-2026-23958
Analysis Generated
Apr 20, 2026 - 21:15 vuln.today
CVE Published
Apr 20, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor interrupt-enable CSR (sie) may be handled incorrectly and can influence machine-level interrupt enable state (mie). This breaks privilege/virtualization isolation and can lead to denial of service or privilege-boundary violation in environments relying on NEMU for correct interrupt virtualization.

AnalysisAI

OpenXiangShan NEMU emulator's RISC-V Hypervisor extension implementation allows VS-mode guest writes to the sie (supervisor interrupt-enable) CSR to corrupt machine-level mie state, breaking privilege isolation between virtualization layers. Fixed in commit 55295c4 per GitHub PR #938. Despite CVSS 9.8 Critical rating with network attack vector (AV:N), the EPSS score of 0.03% (9th percentile) indicates extremely low observed exploitation probability, and the vulnerability specifically affects RISC-V emulator environments rather than typical network-accessible services. No CISA KEV listing or public exploit identified at time of analysis, suggesting this is a theoretical high-severity issue in specialized research/development contexts rather than an imminent widespread threat.

Technical ContextAI

NEMU is an instruction-set emulator from the OpenXiangShan project implementing the RISC-V architecture, including the RVH (Hypervisor) extension for hardware-assisted virtualization. The vulnerability stems from incorrect handling of CSR (Control and Status Register) writes in the privilege separation logic defined by RISC-V specification chapters on Machine, Supervisor, and Hypervisor modes. The sie CSR controls interrupt enables in supervisor mode (S-mode/VS-mode in virtualized contexts), while mie controls machine-mode (M-mode) interrupts-the highest privilege level. CWE-267 (Privilege Defined With Unsafe Actions) applies because the emulator fails to properly constrain lower-privilege CSR writes, allowing guest OS code in VS-mode to manipulate M-mode state. This violates the fundamental RISC-V privilege model where each mode's CSRs must be isolated according to specification-defined access controls. The CPE data shows generic 'n/a:n/a' product identifiers, indicating NVD classification challenges for specialized emulator software rather than mainstream commercial products.

RemediationAI

Update OpenXiangShan NEMU to commit 55295c46580456d8d5a9d5736e1fda924b8825ab or later, which corrects the sie CSR write handling logic per GitHub PR #938 (https://github.com/OpenXiangShan/NEMU/pull/938). Organizations using NEMU for RISC-V development should rebuild from the patched source tree available at the OpenXiangShan GitHub repository. If immediate patching is not feasible, disable RVH (Hypervisor extension) support in NEMU build configurations to eliminate the vulnerable code path-this workaround removes virtualization capabilities but prevents privilege boundary violations. For research environments requiring RVH functionality with unpatched versions, restrict NEMU execution to isolated development systems without network access and treat all guest VMs as potentially able to escape virtualization boundaries. Review RISC-V privilege specification documentation (https://docs.riscv.org/reference/isa/priv/hypervisor.html) to understand correct CSR access control expectations when implementing custom emulator modifications. No backports to stable release branches are mentioned in available references, suggesting mainline source updates are the only remediation path.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-29646 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy