CVE-2026-29642
Received Received - Intake
Privilege Escalation via WPRI Bit Corruption in XiangShan Firmware

Publication date: 2026-04-20

Last updated on: 2026-04-21

Assigner: MITRE

Description
A local attacker who can execute privileged CSR operations (or can induce firmware to do so) performs carefully crafted reads/writes to menvcfg (e.g., csrrs in M-mode). On affected XiangShan versions (commit aecf601e803bfd2371667a3fb60bfcd83c333027, 2024-11-19), these menvcfg accesses can unexpectedly set WPRI (reserved) bits in the status view (xstatus) to 1. RISC-V defines WPRI fields as "writes preserve values, reads ignore values," i.e., they must not be modified by software manipulating other fields, and menvcfg itself contains multiple WPRI fields.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29642
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xiangshan xiangshan From aecf601e803bfd2371667a3fb60bfcd83c333027 (inc) to 2024-11-19 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1244 The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves a local attacker who has the ability to execute privileged CSR (Control and Status Register) operations or can cause firmware to perform such operations. By performing carefully crafted reads and writes to the menvcfg register (for example, using csrrs instructions in M-mode), the attacker can cause unexpected changes to the WPRI (Write Preserve Read Ignore) bits in the status view (xstatus). Specifically, these WPRI bits, which are reserved and should not be modified by software, can be set to 1 unexpectedly. This behavior violates the RISC-V specification that states WPRI fields must preserve their values on writes and ignore values on reads.

Impact Analysis

The impact of this vulnerability is that a local attacker with privileged access or the ability to induce firmware operations can manipulate reserved bits in critical status registers. This could lead to unexpected system behavior or compromise the integrity of the system's control and status registers, potentially affecting system stability or security mechanisms that rely on these registers being correctly maintained.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29642. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart