CVE-2026-29646
Published: 20 April 2026
Summary
CVE-2026-29646 is a critical-severity Privilege Defined With Unsafe Actions (CWE-267) vulnerability in Riscv (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-50 (Software-enforced Separation and Policy Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation through updating NEMU to commit 55295c4 or later, fixing the sie CSR mishandling.
Mandates a reference monitor that correctly mediates VS-mode guest writes to sie CSR, preventing unauthorized influence on machine-level mie state and preserving privilege isolation.
Enforces software-based separation and policy mechanisms in the NEMU hypervisor emulator to block guest manipulations that violate virtualization isolation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE explicitly describes a privilege escalation vulnerability in NEMU's hypervisor extension (RVH) that allows a VS-mode guest to incorrectly modify machine-level interrupt state (mie via sie), directly enabling exploitation to cross privilege boundaries or achieve higher privileges within the emulated environment.
NVD Description
In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor interrupt-enable CSR (sie) may be handled incorrectly and can influence machine-level interrupt enable state (mie). This breaks privilege/virtualization isolation and…
more
can lead to denial of service or privilege-boundary violation in environments relying on NEMU for correct interrupt virtualization.
Deeper analysisAI
CVE-2026-29646 is a privilege escalation vulnerability in OpenXiangShan NEMU prior to commit 55295c4. When running with the RVH (Hypervisor extension) enabled, a write from a VS-mode guest to the supervisor interrupt-enable CSR (sie) is mishandled, allowing it to incorrectly influence the machine-level interrupt enable state (mie). This flaw violates privilege and virtualization isolation, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-267.
A remote, unauthenticated attacker controlling a VS-mode guest can exploit this issue with low complexity and no user interaction. By performing a targeted write to the sie CSR, the attacker can manipulate the mie state, potentially causing denial of service or crossing privilege boundaries in systems that rely on NEMU for accurate interrupt virtualization.
References include RISC-V ISA documentation on hypervisor, machine, supervisor, and Zicsr privileged instructions, along with OpenXiangShan NEMU GitHub issue #951, which details the flaw. Mitigation requires updating to NEMU commit 55295c4 or later to address the incorrect handling of sie writes under RVH.
Details
- CWE(s)