CVE-2026-29645
Published: 20 April 2026
Summary
CVE-2026-29645 is a high-severity Incorrect Calculation of Buffer Size (CWE-131) vulnerability in Xiangshan Nemu. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the improper funct3 field validation flaw in NEMU's RISC-V Vector decoder via the available patch in v2025.12.r2.
Mandates validation of inputs like crafted RISC-V instruction encodings to prevent misinterpretation of invalid OP-V instructions as vset* configurations.
Enables vulnerability scanning and monitoring to identify the CVE in NEMU emulator deployments before exploitation by crafted binaries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in NEMU emulator's instruction decoder allows crafted RISC-V binaries to trigger incorrect trap behavior and architectural state corruption, directly enabling application-level DoS via exploitation (T1499.004).
NVD Description
NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector (RVV) decoder. The decoder does not correctly validate the funct3 field when decoding vsetvli/vsetivli/vsetvl, allowing certain invalid OP-V instruction encodings to be misinterpreted and executed as vset*…
more
configuration instructions rather than raising an illegal-instruction exception. This can be exploited by providing crafted RISC-V binaries to cause incorrect trap behavior, architectural state corruption/divergence, and potential denial of service in systems that rely on NEMU for correct execution or sandboxing.
Deeper analysisAI
CVE-2026-29645 is an improper instruction-validation vulnerability in the RISC-V Vector (RVV) decoder of NEMU, an open-source RISC-V emulator maintained under the OpenXiangShan/NEMU project. Specifically, versions of NEMU before v2025.12.r2 fail to correctly validate the funct3 field during decoding of vsetvli, vsetivli, and vsetvl instructions. This allows certain invalid OP-V instruction encodings to be misinterpreted and executed as vset* configuration instructions instead of triggering an illegal-instruction exception.
The vulnerability can be exploited by remote attackers with no privileges or user interaction required, as indicated by its CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). An attacker can provide crafted RISC-V binaries to a system running the affected NEMU version, leading to incorrect trap behavior, architectural state corruption or divergence, and potential denial of service. Exploitation is feasible in environments relying on NEMU for accurate instruction emulation, such as testing, simulation, or sandboxing setups.
Mitigation is available through a patch in NEMU v2025.12.r2 and later versions. The fix is detailed in GitHub commit 481de637d5fc5838356caee80a79e56a33754039, which addresses the issue reported in OpenXiangShan/NEMU issue #952 and merged via pull request #958. Additional technical context on the affected RISC-V Vector instructions is provided in the RISC-V ISA unprivileged vector specification.
Details
- CWE(s)