CVE-2026-29644 Overview
CVE-2026-29644 is an improper access control vulnerability in the XiangShan open-source high-performance RISC-V processor. The vulnerability exists in commit edb1dfaf7d290ae99724594507dc46c2c2125384 (dated 2024-11-28) due to improper gating of the distributed CSR (Control and Status Register) write-enable path. This flaw allows illegal CSR write attempts to alter custom PMA (Physical Memory Attribute) CSR state, violating the RISC-V privileged specification which requires an illegal-instruction exception for non-existent or illegal CSR accesses.
Critical Impact
Local attackers able to execute code on the core can exploit this vulnerability to tamper with memory-attribute enforcement, potentially leading to privilege escalation, information disclosure, or denial of service depending on how PMA enforces platform security and isolation boundaries.
Affected Products
- XiangShan RISC-V Processor commit edb1dfaf7d290ae99724594507dc46c2c2125384 (2024-11-28)
- XiangShan versions with affected distributed CSR write-enable path implementation
- Systems integrating affected XiangShan processor configurations
Discovery Timeline
- 2026-04-21 - CVE-2026-29644 published to NVD
- 2026-04-21 - Last updated in NVD database
Technical Details for CVE-2026-29644
Vulnerability Analysis
The vulnerability stems from a flaw in how XiangShan handles CSR write operations within its distributed architecture. According to the RISC-V privileged specification, attempts to access non-existent or illegal CSRs should trigger an illegal-instruction exception. However, due to improper gating logic in the write-enable path, affected XiangShan versions propagate these illegal write operations to replicated PMA configuration state instead of properly rejecting them.
PMA (Physical Memory Attribute) CSRs are critical security components that define memory region attributes such as cacheability, atomicity support, and access permissions. When an attacker can manipulate these registers through illegal CSR writes, they can potentially alter how the processor treats specific memory regions, undermining isolation and security enforcement mechanisms.
The impact depends heavily on the system integration and how PMA is used to enforce platform security boundaries. In systems where PMA provides critical isolation between privilege levels or security domains, this vulnerability could enable significant security breaches.
Root Cause
The root cause is classified as CWE-284 (Improper Access Control). The distributed CSR write-enable path in XiangShan lacks proper validation gating, failing to ensure that illegal CSR access attempts are completely blocked before they can affect the replicated PMA configuration state. This represents an implementation deviation from the RISC-V privileged specification requirements for CSR access handling.
Attack Vector
This is a local attack vector requiring the attacker to have code execution capability on the affected processor core. The specific privilege level required depends on the system integration. An attacker would craft specific CSR write instructions targeting non-existent or illegal CSR addresses, exploiting the improper gating to have these writes inadvertently modify PMA configuration state. This could allow:
- Modification of memory region attributes to bypass access controls
- Alteration of cacheability settings to enable side-channel attacks
- Disruption of memory isolation boundaries between security domains
The vulnerability mechanism involves crafting illegal CSR write instructions that should be rejected but instead propagate through the distributed write-enable path to modify PMA state. For detailed technical analysis, see GitHub Issue #3959 and the XiangShan MMU Documentation.
Detection Methods for CVE-2026-29644
Indicators of Compromise
- Unexpected changes to PMA CSR values without corresponding legitimate configuration operations
- Illegal instruction exceptions not being raised for invalid CSR access attempts
- Anomalous memory attribute configurations that don't match expected system policy
- Evidence of memory access patterns inconsistent with defined PMA boundaries
Detection Strategies
- Implement runtime monitoring for CSR access patterns, particularly focusing on writes to PMA-related registers
- Enable and review processor exception logging to identify missing illegal-instruction exceptions for invalid CSR accesses
- Deploy hardware security monitors that validate PMA state integrity against expected configurations
- Audit firmware and software for attempts to access undefined or reserved CSR addresses
Monitoring Recommendations
- Configure system monitoring to alert on unexpected PMA configuration changes
- Implement integrity checking for security-critical CSR state during runtime
- Review processor telemetry for anomalous CSR access patterns
- Establish baseline PMA configurations and monitor for deviations
How to Mitigate CVE-2026-29644
Immediate Actions Required
- Review your XiangShan processor implementation to determine if it includes the affected commit edb1dfaf7d290ae99724594507dc46c2c2125384
- Apply the fix from commit 2b1f9796aa98597e5eeac32e5bb1418496987ca4 which addresses the improper gating issue
- Regenerate and rebuild affected processor RTL with the corrected CSR write-enable path implementation
- Conduct security testing to verify proper illegal-instruction exception generation for invalid CSR accesses
Patch Information
The XiangShan project has addressed this vulnerability in commit 2b1f9796aa98597e5eeac32e5bb1418496987ca4. This fix corrects the gating logic in the distributed CSR write-enable path to ensure illegal CSR write attempts are properly rejected and do not propagate to PMA configuration state. Organizations using XiangShan should update to a version incorporating this fix.
For additional context on the vulnerability and fix, refer to the GitHub Issue #3959 and the RISC-V Privileged CSR Documentation for specification requirements.
Workarounds
- Implement additional software-level validation of PMA state before security-critical operations
- Where possible, restrict code execution on affected cores to trusted software only
- Deploy additional memory protection mechanisms at the system level that don't solely rely on processor PMA enforcement
- Consider implementing hypervisor or TEE-level monitoring of PMA state integrity as an additional defense layer
# Verification: Check if your XiangShan build includes the fix
# Navigate to your XiangShan repository and verify commit history
cd /path/to/XiangShan
git log --oneline | grep -E "(2b1f979|edb1dfa)"
# If only edb1dfaf appears without 2b1f979, the fix is not applied
# Update to include the security fix:
git fetch origin
git cherry-pick 2b1f9796aa98597e5eeac32e5bb1418496987ca4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
