CVE-2026-29647
Received Received - Intake
Insufficient Permission Enforcement in OpenXiangShan NEMU Enables IMSIC Access

Publication date: 2026-04-20

Last updated on: 2026-04-21

Assigner: MITRE

Description
In OpenXiangShan NEMU, insufficient Smstateen permission enforcement allows lower-privileged code to access IMSIC state via stopei/vstopei CSRs even when mstateen0.IMSIC is cleared, potentially enabling cross-context information leakage or disruption of interrupt handling.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29647
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openxiangshan xiangshan *
openxiangshan nemu *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenXiangShan NEMU where there is insufficient enforcement of Smstateen permissions. Specifically, lower-privileged code can access IMSIC state through the stopei and vstopei CSRs even when the mstateen0.IMSIC permission bit is cleared. This means that code which should not have access can still read or manipulate certain interrupt-related states.

Impact Analysis

The impact of this vulnerability includes the potential for cross-context information leakage, where sensitive interrupt state information could be exposed to unauthorized lower-privileged code. Additionally, it could disrupt interrupt handling, possibly affecting system stability or security by allowing improper manipulation of interrupt states.

Compliance Impact

The provided context and resources do not include any information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by verifying whether access to the stopei and vstopei CSRs is improperly allowed when the IMSIC bit in the mstateen0 register is cleared (disabled). Specifically, attempts to access these CSRs in mode=1 should trigger an illegal instruction exception according to the RISC-V specification, but due to the vulnerability, such access is erroneously permitted.

A practical detection method involves clearing the IMSIC bit in the mstateen0 register, setting the processor to mode=1, and then attempting to read or write the xstopei or vstopei CSRs. If these accesses do not cause an illegal instruction exception, the system is vulnerable.

Example commands (conceptual, assuming a RISC-V environment with CSR access tools):

  • Clear the IMSIC bit in mstateen0 register.
  • Set the processor mode to 1.
  • Attempt to read or write the stopei or vstopei CSRs (e.g., using assembly instructions like csrr or csrw).
  • Check if an illegal instruction exception is raised; if not, the vulnerability is present.
Mitigation Strategies

Immediate mitigation involves applying patches or updates that correct the access control enforcement for the Smstateen extension, specifically ensuring that the IMSIC bit in the mstateen0 register properly restricts access to the stopei and vstopei CSRs.

The fix includes removal of incorrect illegal instruction checks and addition of missing access checks for the stopi CSR, as well as corrections to privilege-level access enforcement across S-mode, VS-mode, and U-mode.

Therefore, updating to the fixed versions of OpenXiangShan and NEMU that include these patches is recommended.

Additionally, running the continuous integration tests added to verify correct Smstateen extension behavior can help ensure the vulnerability is mitigated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29647. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart