CVE-2026-29642
Published: 20 April 2026
Summary
CVE-2026-29642 is a high-severity Internal Asset Exposed to Unsafe Debug Access Level or State (CWE-1244) vulnerability. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the improper menvcfg CSR handling vulnerability by applying the XiangShan patch from commit 5e3dd63.
Verifies and monitors the integrity of processor firmware to ensure only the patched XiangShan version is deployed and unaltered.
Vulnerability scanning identifies systems using affected XiangShan versions up to commit aecf601e803bfd2371667a3fb60bfcd83c333027 vulnerable to CVE-2026-29642.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local M-mode CSR manipulation in RISC-V core allows unauthorized modification of reserved status bits, directly enabling privilege escalation or high-impact C/I/A effects on the host system.
NVD Description
A local attacker who can execute privileged CSR operations (or can induce firmware to do so) performs carefully crafted reads/writes to menvcfg (e.g., csrrs in M-mode). On affected XiangShan versions (commit aecf601e803bfd2371667a3fb60bfcd83c333027, 2024-11-19), these menvcfg accesses can unexpectedly set WPRI…
more
(reserved) bits in the status view (xstatus) to 1. RISC-V defines WPRI fields as "writes preserve values, reads ignore values," i.e., they must not be modified by software manipulating other fields, and menvcfg itself contains multiple WPRI fields.
Deeper analysisAI
CVE-2026-29642 is a vulnerability in the XiangShan open-source RISC-V processor implementation, affecting versions up to commit aecf601e803bfd2371667a3fb60bfcd83c333027 (dated 2024-11-19). It stems from improper handling of reads and writes to the menvcfg control and status register (CSR) in Machine mode (M-mode), such as via csrrs instructions. These operations can unexpectedly set reserved WPRI bits in the xstatus status view to 1, violating RISC-V specifications that define WPRI fields as "writes preserve values, reads ignore values." Such fields must remain unmodified by software manipulating other CSRs, and menvcfg itself contains multiple WPRI bits. The issue is tracked under CWE-1244 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-20.
A local attacker capable of executing privileged CSR operations—or inducing firmware to do so—can exploit this flaw with low complexity. Exploitation involves performing crafted menvcfg accesses in M-mode, leading to high-impact confidentiality, integrity, and availability effects through unauthorized modification of reserved processor state bits.
Mitigation is available via XiangShan commit 5e3dd63 on GitHub, which addresses the issue post-affected version. Additional details are in GitHub issue #3934. RISC-V privileged ISA documentation at the referenced URLs outlines machine-mode CSRs and WPRI field behaviors.
Details
- CWE(s)