CVE-2026-29642
Privilege Escalation via WPRI Bit Corruption in XiangShan Firmware
Publication date: 2026-04-20
Last updated on: 2026-04-21
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xiangshan | xiangshan | From aecf601e803bfd2371667a3fb60bfcd83c333027 (inc) to 2024-11-19 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1244 | The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves a local attacker who has the ability to execute privileged CSR (Control and Status Register) operations or can cause firmware to perform such operations. By performing carefully crafted reads and writes to the menvcfg register (for example, using csrrs instructions in M-mode), the attacker can cause unexpected changes to the WPRI (Write Preserve Read Ignore) bits in the status view (xstatus). Specifically, these WPRI bits, which are reserved and should not be modified by software, can be set to 1 unexpectedly. This behavior violates the RISC-V specification that states WPRI fields must preserve their values on writes and ignore values on reads.
How can this vulnerability impact me? :
The impact of this vulnerability is that a local attacker with privileged access or the ability to induce firmware operations can manipulate reserved bits in critical status registers. This could lead to unexpected system behavior or compromise the integrity of the system's control and status registers, potentially affecting system stability or security mechanisms that rely on these registers being correctly maintained.