CVE-2026-29649
Hypervisor CSR Handling Flaw in NEMU Causes DoS
Publication date: 2026-04-20
Last updated on: 2026-04-24
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xiangshan | nemu | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in NEMU's implementation of the RISC-V Hypervisor Control and Status Registers (CSRs). Specifically, bits 4 to 7 of the hypervisor environment configuration register (henvcfg) are incorrectly masked or updated based on the machine environment configuration register (menvcfg). This means that when machine-mode code writes to menvcfg, it can unintentionally modify the hypervisor's environment configuration (henvcfg).
Because of this incorrect linkage, the enforcement of virtualization configuration can be incorrect, potentially causing unexpected traps or denial of service when executing cache-block management instructions in virtualized contexts.
How can this vulnerability impact me? :
The vulnerability can lead to incorrect enforcement of virtualization settings in a RISC-V hypervisor environment. This may cause unexpected traps or denial of service conditions when cache-block management instructions are executed in virtualized contexts.
In practical terms, this could disrupt the normal operation of virtual machines running on affected systems, potentially causing instability or service interruptions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves incorrect masking and updating of the henvcfg CSR fields based on menvcfg in the NEMU RISC-V hypervisor implementation. Detection would require inspecting the values of the henvcfg and menvcfg CSRs to identify if changes to menvcfg implicitly modify henvcfg fields incorrectly.
Since this is a low-level hardware/firmware issue related to Control and Status Registers (CSRs) in machine mode, detection commands would involve reading these CSRs on the affected system.
- Use RISC-V privileged instructions or a debugger to read the menvcfg and henvcfg CSRs and compare bits 4 to 7.
- For example, in a RISC-V environment with access to machine mode CSRs, use assembly instructions like `csrr` to read the registers: `csrr t0, menvcfg` and `csrr t1, henvcfg`.
- Check if writing to menvcfg changes bits 4 to 7 of henvcfg unexpectedly, which indicates the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying patches or updates that decouple the henvcfg CSR fields from menvcfg, preventing implicit modification.
Specifically, the fix merged in the OpenXiangShan/NEMU repository (pull request #689) corrects the dependency between henvcfg and menvcfg, ensuring that CBIE, CBCFE, and CBZE fields in henvcfg are independent.
Therefore, updating your NEMU hypervisor to include this fix (merged on November 27, 2024) is the recommended immediate step.
Additionally, avoid running untrusted code in virtualized contexts until the fix is applied, as the vulnerability can cause unexpected traps or denial of service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.