CVE-2026-29647 Overview
CVE-2026-29647 is an improper privilege management vulnerability affecting OpenXiangShan NEMU, a RISC-V emulator used for architectural simulation and development. The vulnerability stems from insufficient enforcement of Smstateen permission controls, allowing lower-privileged code to access IMSIC (Incoming MSI Controller) state via stopei and vstopei CSRs (Control and Status Registers) even when the mstateen0.IMSIC bit is cleared.
This permission bypass vulnerability enables unauthorized access to interrupt controller state, potentially leading to cross-context information leakage or disruption of interrupt handling in virtualized or privileged environments.
Critical Impact
Lower-privileged code can bypass RISC-V Smstateen security controls to access protected IMSIC state, enabling information disclosure across privilege boundaries and potential disruption of interrupt handling mechanisms.
Affected Products
- OpenXiangShan NEMU (RISC-V emulator)
- Systems implementing RISC-V Smstateen extension with IMSIC support
- XiangShan processor implementations using affected NEMU versions
Discovery Timeline
- 2026-04-20 - CVE CVE-2026-29647 published to NVD
- 2026-04-21 - Last updated in NVD database
Technical Details for CVE-2026-29647
Vulnerability Analysis
The vulnerability is classified as CWE-269 (Improper Privilege Management) and affects the Smstateen extension implementation in OpenXiangShan NEMU. The RISC-V Smstateen extension provides fine-grained control over which state is accessible to lower privilege levels. When properly implemented, clearing the mstateen0.IMSIC bit should prevent supervisor and user-mode code from accessing IMSIC-related CSRs.
In the vulnerable implementation, the permission check for stopei (Supervisor Top External Interrupt) and vstopei (Virtual Supervisor Top External Interrupt) CSRs fails to properly validate the mstateen0.IMSIC control bit before granting access. This architectural violation allows lower-privileged execution contexts to read or write IMSIC state that should be protected by higher privilege levels.
Root Cause
The root cause lies in the CSR access control logic within NEMU's implementation of the Smstateen extension. The emulator fails to check the mstateen0.IMSIC bit before allowing access to stopei and vstopei registers. According to the RISC-V privileged specification, when mstateen0.IMSIC is cleared, any attempt by S-mode or VS-mode to access these CSRs should result in an illegal instruction exception. The vulnerable code path bypasses this check, allowing unrestricted access regardless of the mstateen0 configuration.
Attack Vector
The attack vector requires network accessibility with low attack complexity. An attacker with low-privilege code execution capability can exploit this vulnerability to:
- Read IMSIC state from other privilege contexts, leaking information about pending interrupts and interrupt configuration
- Potentially manipulate interrupt delivery by writing to protected CSRs
- Cause denial of service by disrupting normal interrupt handling
The vulnerability requires authenticated access but no user interaction, making it exploitable in multi-tenant or virtualized environments where privilege isolation is critical.
The vulnerability manifests in the CSR access path when handling stopei and vstopei register operations. When these registers are accessed, the implementation should verify that mstateen0.IMSIC is set before permitting the operation. The missing check allows the read/write to proceed unconditionally. For technical implementation details, see the GitHub Issue #691 tracking this vulnerability.
Detection Methods for CVE-2026-29647
Indicators of Compromise
- Unexpected access patterns to stopei or vstopei CSRs from supervisor or user-mode contexts
- Illegal instruction exceptions that should have occurred but were not generated
- Anomalous interrupt behavior or delivery patterns in virtualized environments
- Privilege escalation attempts targeting interrupt handling mechanisms
Detection Strategies
- Monitor CSR access patterns for stopei and vstopei accesses when mstateen0.IMSIC should be cleared
- Implement runtime privilege validation checks in security-critical RISC-V environments
- Deploy architectural compliance testing to verify Smstateen enforcement
- Enable tracing of CSR operations in development and testing environments
Monitoring Recommendations
- Configure logging for all CSR access operations in NEMU debugging modes
- Implement privilege boundary crossing alerts in virtualized RISC-V deployments
- Review interrupt handling audit logs for unauthorized state modifications
- Use architectural simulation tools to verify privilege isolation behavior
How to Mitigate CVE-2026-29647
Immediate Actions Required
- Update OpenXiangShan NEMU to a patched version that properly enforces mstateen0.IMSIC checks
- Review and audit any systems using affected NEMU versions for potential exploitation
- Implement additional privilege isolation controls in environments where NEMU is used for security-sensitive workloads
- Consider restricting access to NEMU instances in multi-tenant environments until patched
Patch Information
A fix has been developed and is tracked in GitHub Pull Request #3978. The patch implements proper mstateen0.IMSIC permission checking before allowing access to stopei and vstopei CSRs. Users should apply this fix or upgrade to a NEMU release that includes the correction.
For reference on the expected behavior of the Smstateen extension, consult the RISC-V Privilege State Documentation.
Workarounds
- Restrict execution of untrusted code in NEMU environments until patches are applied
- Implement hypervisor-level access controls to limit CSR access in virtualized deployments
- Use alternative RISC-V emulators or simulators for security-critical testing scenarios
- Configure mstateen0 bits conservatively and add external monitoring for policy violations
# Verify NEMU version and check for applied patches
cd /path/to/NEMU
git log --oneline | grep -i "smstateen\|imsic\|stopei"
# Check if PR #3978 fix is included in your version
git log --oneline | grep -i "691\|3978"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
