Executive Summary

CVE-2026-29645 is a vulnerability in the NEMU emulator for RISC-V systems, specifically in the decoding of vector instructions related to the RISC-V Vector Extension (RVV). The flaw lies in improper validation of the funct3 field when decoding the vector set instructions vsetvli, vsetivli, and vsetvl. Because the decoder does not correctly enforce that funct3 must be 111, certain invalid instruction encodings can be misinterpreted as valid vector set instructions instead of triggering an illegal-instruction exception.

This improper decoding allows crafted RISC-V binaries to cause incorrect trap behavior, corrupt or diverge the architectural state, and potentially lead to denial of service in systems relying on NEMU for correct execution or sandboxing.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can impact you by allowing malicious or malformed RISC-V binaries to bypass proper instruction validation in the NEMU emulator. This can result in:

• Incorrect trap behavior during execution
• Corruption or divergence of the architectural state of the emulated system
• Potential denial of service if the system relies on NEMU for correct execution or sandboxing

Such impacts can undermine the reliability and security of systems using NEMU for emulation or sandboxing of RISC-V binaries.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves improper instruction decoding in the NEMU RISC-V emulator, specifically related to the funct3 field in vector set instructions (vsetvli, vsetivli, vsetvl). Detection would involve identifying if your system is running a vulnerable version of NEMU (before v2025.12.r2) and if it executes crafted RISC-V binaries that exploit this flaw.

Since the issue is with instruction decoding in the emulator, detection on a system level would require monitoring for illegal instruction exceptions or architectural state corruption during execution of RISC-V binaries under NEMU.

No explicit detection commands are provided in the resources. However, you can check the version of NEMU running on your system to see if it is older than v2025.12.r2, which is vulnerable.

For example, to check the NEMU version, you might run a command like:

• `nemu --version` or check the version information in your NEMU installation directory or build logs.

Additionally, monitoring logs for illegal instruction exceptions or unusual trap behavior during execution of RISC-V vector instructions could indicate exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update NEMU to a fixed version that addresses the improper instruction decoding flaw.

Specifically, upgrade to NEMU version v2025.12.r2 or later, where the decoding logic for the RISC-V Vector instructions (vsetvli, vsetivli, vsetvl) has been corrected to properly validate the funct3 field and remove incorrect duplicate decodes.

This fix is implemented in commits such as SHA 481de63 and pull request #958, which correct the decode tables and ensure compliance with the RISC-V Vector specification.

If immediate upgrade is not possible, consider restricting or sandboxing execution of untrusted RISC-V binaries in NEMU to prevent exploitation.

Useful 0 Not Useful 0

Compliance Impact

The provided context and resources do not contain information regarding the impact of CVE-2026-29645 on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0