CVE-2026-29647
Received Received - Intake

Insufficient Permission Enforcement in OpenXiangShan NEMU Enables IMSIC Access

Vulnerability report for CVE-2026-29647, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-20

Last updated on: 2026-04-21

Assigner: MITRE

Description

In OpenXiangShan NEMU, insufficient Smstateen permission enforcement allows lower-privileged code to access IMSIC state via stopei/vstopei CSRs even when mstateen0.IMSIC is cleared, potentially enabling cross-context information leakage or disruption of interrupt handling.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-20
Last Modified
2026-04-21
Generated
2026-07-06
AI Q&A
2026-04-21
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
openxiangshan xiangshan *
openxiangshan nemu *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenXiangShan NEMU where there is insufficient enforcement of Smstateen permissions. Specifically, lower-privileged code can access IMSIC state through the stopei and vstopei CSRs even when the mstateen0.IMSIC permission bit is cleared. This means that code which should not have access can still read or manipulate certain interrupt-related states.

Impact Analysis

The impact of this vulnerability includes the potential for cross-context information leakage, where sensitive interrupt state information could be exposed to unauthorized lower-privileged code. Additionally, it could disrupt interrupt handling, possibly affecting system stability or security by allowing improper manipulation of interrupt states.

Compliance Impact

The provided context and resources do not include any information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by verifying whether access to the stopei and vstopei CSRs is improperly allowed when the IMSIC bit in the mstateen0 register is cleared (disabled). Specifically, attempts to access these CSRs in mode=1 should trigger an illegal instruction exception according to the RISC-V specification, but due to the vulnerability, such access is erroneously permitted.

A practical detection method involves clearing the IMSIC bit in the mstateen0 register, setting the processor to mode=1, and then attempting to read or write the xstopei or vstopei CSRs. If these accesses do not cause an illegal instruction exception, the system is vulnerable.

Example commands (conceptual, assuming a RISC-V environment with CSR access tools):

  • Clear the IMSIC bit in mstateen0 register.
  • Set the processor mode to 1.
  • Attempt to read or write the stopei or vstopei CSRs (e.g., using assembly instructions like csrr or csrw).
  • Check if an illegal instruction exception is raised; if not, the vulnerability is present.
Mitigation Strategies

Immediate mitigation involves applying patches or updates that correct the access control enforcement for the Smstateen extension, specifically ensuring that the IMSIC bit in the mstateen0 register properly restricts access to the stopei and vstopei CSRs.

The fix includes removal of incorrect illegal instruction checks and addition of missing access checks for the stopi CSR, as well as corrections to privilege-level access enforcement across S-mode, VS-mode, and U-mode.

Therefore, updating to the fixed versions of OpenXiangShan and NEMU that include these patches is recommended.

Additionally, running the continuous integration tests added to verify correct Smstateen extension behavior can help ensure the vulnerability is mitigated.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29647. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart