CVE-2026-29648
Privilege Escalation via CSR Access Bypass in OpenXiangShan NEMU
Publication date: 2026-04-20
Last updated on: 2026-04-21
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openxiangshan | xiangshan | * |
| openxiangshan | nemu | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
In OpenXiangShan NEMU, when the Smstateen feature is enabled, clearing the mstateen0.ENVCFG register does not properly restrict access to the henvcfg and senvcfg control and status registers (CSRs).
This flaw allows less-privileged code to read or write these CSRs without triggering the required exceptions, which means that the intended isolation controls based on state-enable settings can be bypassed in virtualized or multi-privilege environments.
How can this vulnerability impact me? :
This vulnerability can allow less-privileged code to access or modify critical control registers that should be protected.
As a result, it may lead to bypassing isolation mechanisms designed to separate different privilege levels or virtualized environments, potentially enabling unauthorized access or control over system resources.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows less-privileged code to read or write certain Control and Status Registers (CSRs) without the required exception, potentially bypassing intended isolation controls in virtualized or multi-privilege environments.
This unauthorized access could undermine security controls that are critical for protecting sensitive data and maintaining system integrity, which are essential aspects of compliance with standards such as GDPR and HIPAA.
However, the provided information does not explicitly state the direct impact on compliance with these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying whether access to the henvcfg and senvcfg CSRs is improperly allowed when the ENVCFG bit in the mstateen0 register is cleared and the system is in mode=1.
A practical detection method involves clearing the ENVCFG bit in mstateen0, setting mode=1, and then attempting to access the xenvcfg registers. According to the RISC-V specification, such access should trigger an illegal instruction exception if the vulnerability is not present.
- Clear the ENVCFG bit in mstateen0.
- Set the system mode to 1.
- Attempt to read or write to henvcfg, henvcfgh, or senvcfg CSRs.
- Check if the access triggers an illegal instruction exception as expected.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the fixes that correct the access control issues related to the Smstateen extension in OpenXiangShan and NEMU.
Specifically, update your system to include the patches that:
- Correct the access checks for custom CSRs when Smstateen is enabled.
- Ensure that clearing the ENVCFG bit in mstateen0 properly restricts access to henvcfg and senvcfg CSRs.
- Remove incorrect illegal instruction checks that interfere with proper privilege-level access enforcement.
- Add missing access checks for related CSRs such as stopi in the AIA module.
These fixes have been implemented in recent commits in the OpenXiangShan and NEMU repositories and verified by continuous integration tests.
Until patches are applied, restrict access to affected systems and avoid enabling Smstateen with ENVCFG cleared in production environments.