CVE-2026-29645
Improper Instruction Validation in NEMU RVV Decoder Causes DoS
Publication date: 2026-04-20
Last updated on: 2026-04-24
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xiangshan | nemu | 2025.12 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1287 | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. |
| CWE-131 | The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29645 is a vulnerability in the NEMU emulator for RISC-V systems, specifically in the decoding of vector instructions related to the RISC-V Vector Extension (RVV). The flaw lies in improper validation of the funct3 field when decoding the vector set instructions vsetvli, vsetivli, and vsetvl. Because the decoder does not correctly enforce that funct3 must be 111, certain invalid instruction encodings can be misinterpreted as valid vector set instructions instead of triggering an illegal-instruction exception.
This improper decoding allows crafted RISC-V binaries to cause incorrect trap behavior, corrupt or diverge the architectural state, and potentially lead to denial of service in systems relying on NEMU for correct execution or sandboxing.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing malicious or malformed RISC-V binaries to bypass proper instruction validation in the NEMU emulator. This can result in:
- Incorrect trap behavior during execution
- Corruption or divergence of the architectural state of the emulated system
- Potential denial of service if the system relies on NEMU for correct execution or sandboxing
Such impacts can undermine the reliability and security of systems using NEMU for emulation or sandboxing of RISC-V binaries.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper instruction decoding in the NEMU RISC-V emulator, specifically related to the funct3 field in vector set instructions (vsetvli, vsetivli, vsetvl). Detection would involve identifying if your system is running a vulnerable version of NEMU (before v2025.12.r2) and if it executes crafted RISC-V binaries that exploit this flaw.
Since the issue is with instruction decoding in the emulator, detection on a system level would require monitoring for illegal instruction exceptions or architectural state corruption during execution of RISC-V binaries under NEMU.
No explicit detection commands are provided in the resources. However, you can check the version of NEMU running on your system to see if it is older than v2025.12.r2, which is vulnerable.
For example, to check the NEMU version, you might run a command like:
- `nemu --version` or check the version information in your NEMU installation directory or build logs.
Additionally, monitoring logs for illegal instruction exceptions or unusual trap behavior during execution of RISC-V vector instructions could indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update NEMU to a fixed version that addresses the improper instruction decoding flaw.
Specifically, upgrade to NEMU version v2025.12.r2 or later, where the decoding logic for the RISC-V Vector instructions (vsetvli, vsetivli, vsetvl) has been corrected to properly validate the funct3 field and remove incorrect duplicate decodes.
This fix is implemented in commits such as SHA 481de63 and pull request #958, which correct the decode tables and ensure compliance with the RISC-V Vector specification.
If immediate upgrade is not possible, consider restricting or sandboxing execution of untrusted RISC-V binaries in NEMU to prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not contain information regarding the impact of CVE-2026-29645 on compliance with common standards and regulations such as GDPR or HIPAA.