Cyber Resilience

CVE-2026-29646

Critical

Published: 20 April 2026

Published
20 April 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0037 28.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-29646 is a critical-severity Privilege Defined With Unsafe Actions (CWE-267) vulnerability in Riscv (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-50 (Software-enforced Separation and Policy Enforcement).

Deeper analysis

CVE-2026-29646 is a privilege escalation vulnerability in OpenXiangShan NEMU prior to commit 55295c4. When running with the RVH (Hypervisor extension) enabled, a write from a VS-mode guest to the supervisor interrupt-enable CSR (sie) is mishandled, allowing it to incorrectly influence the machine-level interrupt enable state (mie). This flaw violates privilege and virtualization isolation, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-267.

A remote, unauthenticated attacker controlling a VS-mode guest can exploit this issue with low complexity and no user interaction. By performing a targeted write to the sie CSR, the attacker can manipulate the mie state, potentially causing denial of service or crossing privilege boundaries in systems that rely on NEMU for accurate interrupt virtualization.

References include RISC-V ISA documentation on hypervisor, machine, supervisor, and Zicsr privileged instructions, along with OpenXiangShan NEMU GitHub issue #951, which details the flaw. Mitigation requires updating to NEMU commit 55295c4 or later to address the incorrect handling of sie writes under RVH.

EU & UK References

Vulnerability details

In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor interrupt-enable CSR (sie) may be handled incorrectly and can influence machine-level interrupt enable state (mie). This breaks privilege/virtualization isolation and…

more

can lead to denial of service or privilege-boundary violation in environments relying on NEMU for correct interrupt virtualization.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE explicitly describes a privilege escalation vulnerability in NEMU's hypervisor extension (RVH) that allows a VS-mode guest to incorrectly modify machine-level interrupt state (mie via sie), directly enabling exploitation to cross privilege boundaries or achieve higher privileges within the emulated environment.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-41244Shared CWE-267
CVE-2026-23526Shared CWE-267
CVE-2026-0945Shared CWE-267
CVE-2026-2460Shared CWE-267
CVE-2025-23015Shared CWE-267
CVE-2026-27314Shared CWE-267
CVE-2025-14349Shared CWE-267
CVE-2024-55968Shared CWE-267
CVE-2026-2459Shared CWE-267
CVE-2026-42406Shared CWE-267

Affected Assets

Riscv
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation through updating NEMU to commit 55295c4 or later, fixing the sie CSR mishandling.

prevent

Mandates a reference monitor that correctly mediates VS-mode guest writes to sie CSR, preventing unauthorized influence on machine-level mie state and preserving privilege isolation.

prevent

Enforces software-based separation and policy mechanisms in the NEMU hypervisor emulator to block guest manipulations that violate virtualization isolation.

References