CVE-2026-29644
Improper CSR Write Enables Privilege Escalation in XiangShan CPU
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openxiangshan | xiangshan | * |
| openxiangshan | xiangshan | From 2.13.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in XiangShan, an open-source high-performance RISC-V processor, involves improper gating of its distributed CSR (Control and Status Register) write-enable path. This flaw allows illegal CSR write attempts to alter the custom Physical Memory Attribute (PMA) CSR state. Although the RISC-V privileged specification requires an illegal-instruction exception for illegal CSR accesses, affected XiangShan versions may still propagate such writes to the replicated PMA configuration state.
Local attackers who can execute code on the core can exploit this vulnerability to tamper with memory-attribute enforcement. This can potentially lead to privilege escalation, information disclosure, or denial of service, depending on how PMA enforces platform security and isolation boundaries.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a local attacker with code execution capabilities on the processor core to tamper with the memory attribute enforcement mechanisms. Such tampering can lead to several serious security consequences:
- Privilege escalation - attackers may gain higher privileges than intended.
- Information disclosure - unauthorized access to sensitive data may occur.
- Denial of service - disruption of normal system operation by corrupting memory protections.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying illegal CSR write attempts to custom PMA CSRs on the XiangShan RISC-V processor core. Since the vulnerability arises from improper gating of distributed CSR write-enable paths allowing illegal writes, monitoring for illegal instruction exceptions related to CSR accesses is key.
Specifically, one can detect abnormal behavior by observing if illegal instruction exceptions triggered by accesses to undefined or custom CSRs fail to properly enter the exception handler, causing execution disruption.
A practical approach is to run test cases that attempt illegal CSR writes and monitor the processor's response. For example, using the testcase provided in Resource 2 (ill-test.zip) that triggers illegal instruction exceptions involving undefined custom registers can help detect the issue.
Since this is a processor core vulnerability, network-level detection commands are not applicable. Instead, detection requires running code on the affected core and observing exception handling behavior.
- Run illegal CSR access test cases (such as ill-test.zip) on the XiangShan core.
- Monitor processor logs or debug output for failure to enter illegal instruction exception handlers.
- Use hardware debugging tools or simulators to trace CSR write-enable signals and verify if illegal writes are blocked.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the patch that fixes improper gating of distributed CSR write-enable paths to prevent illegal CSR writes to custom PMA CSRs.
Specifically, the fix introduced in Resource 4 adds a register to detect illegal CSR accesses and gates the distributed write-enable signal accordingly, blocking illegal writes that could alter PMA state.
Therefore, updating the XiangShan processor core to include this patch (commit 2b1f9796aa98597e5eeac32e5bb1418496987ca4) is the recommended immediate step.
Additionally, restrict local code execution privileges to trusted users only, as exploitation requires local code execution on the core.
- Apply the patch from commit 2b1f9796aa98597e5eeac32e5bb1418496987ca4 to the XiangShan core.
- Limit local code execution access to trusted users and processes.
- Monitor for updates or further advisories from the XiangShan project regarding this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the XiangShan RISC-V processor allows local attackers to tamper with memory-attribute enforcement, potentially leading to privilege escalation, information disclosure, or denial of service. Such security breaches could undermine the confidentiality, integrity, and availability of sensitive data.
Because regulations like GDPR and HIPAA require strict controls to protect sensitive personal and health information, this vulnerability could negatively impact compliance by enabling unauthorized access or data leakage through privilege escalation or memory protection bypass.
However, the exact impact on compliance depends on how the affected platform uses the XiangShan processor and enforces platform security and isolation boundaries.