CVE-2026-29646 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 21, 2026
OpenXiangShan NEMU - Broken Access Control
Published: April 20, 2026Updated: April 21, 2026Remote Exploitable
Overview
OpenXiangShan NEMU prior to 55295c4 contains a privilege/virtualization isolation bypass caused by incorrect handling of VS-mode guest writes to the supervisor interrupt-enable CSR (sie) with RVH enabled, letting attackers cause denial of service or privilege-boundary violation, exploit requires running with RVH enabled.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Attackers can break privilege isolation causing denial of service or privilege-boundary violation in virtualized environments.
Mitigation
Update to commit 55295c4 or later.
References
- https://docs.riscv.org/reference/isa/priv/supervisor.html
- https://docs.riscv.org/reference/isa/unpriv/zicsr.html
- https://github.com/OpenXiangShan/NEMU/issues/951
- https://github.com/OpenXiangShan/NEMU/pull/938
- https://github.com/OpenXiangShan/NEMU/pull/938/commits/55295c46580456d8d5a9d5736e1fda924b8825ab
- https://docs.riscv.org/reference/isa/priv/hypervisor.html
- https://docs.riscv.org/reference/isa/priv/machine.html
Related Resources
Details
- CVE ID
- CVE-2026-29646
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_access_control
- Status
- rejected
CWE
- CWE-267
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H