{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29648", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-21T19:50:38.197Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T20:07:13.590Z"}, "descriptions": [{"lang": "en", "value": "In OpenXiangShan NEMU, when Smstateen is enabled, clearing mstateen0.ENVCFG does not correctly restrict access to henvcfg and senvcfg. As a result, less-privileged code may read or write these CSRs without the required exception, potentially bypassing intended state-enable based isolation controls in virtualized or multi-privilege environments."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/OpenXiangShan/NEMU/issues/690"}, {"url": "https://github.com/OpenXiangShan/XiangShan/pull/3978"}, {"url": "https://docs.riscv.org/reference/isa/priv/smstateen.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-269", "lang": "en", "description": "CWE-269 Improper Privilege Management"}]}], "references": [{"url": "https://github.com/OpenXiangShan/NEMU/issues/690", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T18:51:57.142448Z", "id": "CVE-2026-29648", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:50:38.197Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29648", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T18:51:57.142448Z"}}}], "references": [{"url": "https://github.com/OpenXiangShan/NEMU/issues/690", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T18:51:42.611Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/OpenXiangShan/NEMU/issues/690"}, {"url": "https://github.com/OpenXiangShan/XiangShan/pull/3978"}, {"url": "https://docs.riscv.org/reference/isa/priv/smstateen.html"}], "descriptions": [{"lang": "en", "value": "In OpenXiangShan NEMU, when Smstateen is enabled, clearing mstateen0.ENVCFG does not correctly restrict access to henvcfg and senvcfg. As a result, less-privileged code may read or write these CSRs without the required exception, potentially bypassing intended state-enable based isolation controls in virtualized or multi-privilege environments."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T20:07:13.590Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29648", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:50:38.197Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenXiangShan NEMU, when Smstateen is enabled, clearing mstateen0.ENVCFG does not correctly restrict access to henvcfg and senvcfg. As a result, less-privileged code may read or write these CSRs without the required exception, potentially bypassing intended state-enable based isolation controls in virtualized or multi-privilege environments."}], "id": "CVE-2026-29648", "lastModified": "2026-04-21T20:16:40.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-20T21:16:19.733", "references": [{"source": "cve@mitre.org", "url": "https://docs.riscv.org/reference/isa/priv/smstateen.html"}, {"source": "cve@mitre.org", "url": "https://github.com/OpenXiangShan/NEMU/issues/690"}, {"source": "cve@mitre.org", "url": "https://github.com/OpenXiangShan/XiangShan/pull/3978"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/OpenXiangShan/NEMU/issues/690"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "nemu", "vendor": "openxiangshan"}], "analysis": {"en": {"generated_at": "2026-04-22T07:36:52.131406+00:00", "value": {"mitigation_remediation": ["Check the latest NEMU release notes for a fix to the Smstateen handling bug; apply the update if available.", "If updating is not immediately possible, disable Smstateen by setting the corresponding CSR bit to avoid the bug.", "Verify that lower\u2011privileged code cannot access henvcfg or senvcfg after applying any change; consider monitoring access to these CSRs."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "OpenXiangShan NEMU is affected. No version information is specified.", "description_and_impact": "In OpenXiangShan NEMU, enabling Smstateen allows less\u2011privileged code to read or write the henvcfg and senvcfg CSRs because clearing mstateen0.ENVCFG does not enforce the expected exception. This bypasses isolation controls in virtualized or multi\u2011privilege environments, giving attackers elevated privileges over sensitive state registers.", "risk_and_exploitability": "The vulnerability is a privilege escalation flaw exposing privileged CSRs to code that should be denied. The EPSS score is < 1% and the vulnerability is not listed in CISA KEV, but because it enables unauthorized register access, any user with a lower privilege level in the virtual machine could exploit it. The attack vector appears to be local within the emulated environment, but could be leveraged by an attacker who can inject code into the NEMU instance. The CVSS score is 8.8."}}}}, "created": "2026-04-21T00:15:16.115139+00:00", "title": "Privilege Escalation via Improper CSRs Access in OpenXiangShan NEMU", "updated": "2026-04-28T09:26:43.257046+00:00", "vendors": ["openxiangshan", "openxiangshan$PRODUCT$nemu"]}