CVE-2026-29648
Published: 20 April 2026
Summary
CVE-2026-29648 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Riscv (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Implements a reference monitor to enforce privilege-based access controls on CSRs like henvcfg and senvcfg, directly countering the bypass in NEMU's Smstateen implementation.
Requires enforcement of approved authorizations to restrict less-privileged code from reading or writing privileged CSRs without exceptions.
Enforces least privilege to prevent low-privileged attackers in virtualized RISC-V environments from accessing henvcfg and senvcfg CSRs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables bypassing of privilege isolation controls (Smstateen/mstateen0.ENVCFG) to access restricted CSRs from lower-privilege contexts in a virtualized/multi-privilege RISC-V emulator, matching Exploitation for Privilege Escalation.
NVD Description
In OpenXiangShan NEMU, when Smstateen is enabled, clearing mstateen0.ENVCFG does not correctly restrict access to henvcfg and senvcfg. As a result, less-privileged code may read or write these CSRs without the required exception, potentially bypassing intended state-enable based isolation controls…
more
in virtualized or multi-privilege environments.
Deeper analysisAI
CVE-2026-29648 affects OpenXiangShan NEMU, a RISC-V emulator associated with the OpenXiangShan project. The vulnerability arises when Smstateen is enabled: clearing mstateen0.ENVCFG does not correctly restrict access to the henvcfg and senvcfg CSRs. This flaw allows less-privileged code to read or write these CSRs without triggering the required exception, potentially bypassing intended state-enable based isolation controls in virtualized or multi-privilege environments. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-269 (Improper Privilege Management).
The attack requires low privileges (PR:L) and is network accessible (AV:N) with low complexity (AC:L) and no user interaction (UI:N), maintaining unchanged scope (S:U). A low-privileged attacker in a virtualized or multi-privilege RISC-V environment running affected NEMU instances could exploit this to directly read or write henvcfg and senvcfg CSRs, evading isolation mechanisms and achieving high impacts on confidentiality, integrity, and availability.
References point to the RISC-V privileged ISA specification on Smstateen (https://docs.riscv.org/reference/isa/priv/smstateen.html), a GitHub issue in OpenXiangShan/NEMU (#690) detailing the problem, and a pull request in OpenXiangShan/XiangShan (#3978) for remediation. Practitioners should review these for patches, updates, or workarounds to mitigate exposure in affected deployments.
Details
- CWE(s)