CVE-2026-29647
Insufficient Permission Enforcement in OpenXiangShan NEMU Enables IMSIC Access
Publication date: 2026-04-20
Last updated on: 2026-04-21
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openxiangshan | xiangshan | * |
| openxiangshan | nemu | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenXiangShan NEMU where there is insufficient enforcement of Smstateen permissions. Specifically, lower-privileged code can access IMSIC state through the stopei and vstopei CSRs even when the mstateen0.IMSIC permission bit is cleared. This means that code which should not have access can still read or manipulate certain interrupt-related states.
How can this vulnerability impact me? :
The impact of this vulnerability includes the potential for cross-context information leakage, where sensitive interrupt state information could be exposed to unauthorized lower-privileged code. Additionally, it could disrupt interrupt handling, possibly affecting system stability or security by allowing improper manipulation of interrupt states.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not include any information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying whether access to the stopei and vstopei CSRs is improperly allowed when the IMSIC bit in the mstateen0 register is cleared (disabled). Specifically, attempts to access these CSRs in mode=1 should trigger an illegal instruction exception according to the RISC-V specification, but due to the vulnerability, such access is erroneously permitted.
A practical detection method involves clearing the IMSIC bit in the mstateen0 register, setting the processor to mode=1, and then attempting to read or write the xstopei or vstopei CSRs. If these accesses do not cause an illegal instruction exception, the system is vulnerable.
Example commands (conceptual, assuming a RISC-V environment with CSR access tools):
- Clear the IMSIC bit in mstateen0 register.
- Set the processor mode to 1.
- Attempt to read or write the stopei or vstopei CSRs (e.g., using assembly instructions like csrr or csrw).
- Check if an illegal instruction exception is raised; if not, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying patches or updates that correct the access control enforcement for the Smstateen extension, specifically ensuring that the IMSIC bit in the mstateen0 register properly restricts access to the stopei and vstopei CSRs.
The fix includes removal of incorrect illegal instruction checks and addition of missing access checks for the stopi CSR, as well as corrections to privilege-level access enforcement across S-mode, VS-mode, and U-mode.
Therefore, updating to the fixed versions of OpenXiangShan and NEMU that include these patches is recommended.
Additionally, running the continuous integration tests added to verify correct Smstateen extension behavior can help ensure the vulnerability is mitigated.