CVE-2026-29649
Published: 20 April 2026
Summary
CVE-2026-29649 is a critical-severity Protection Mechanism Failure (CWE-693) vulnerability in Xiangshan Nemu. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-50 (Software-enforced Separation and Policy Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by identifying, prioritizing, and applying the corrective patch (PR #689) to fix the flawed CSR handling in NEMU.
Enforces software-based separation policies to prevent machine-mode menvcfg writes from improperly modifying hypervisor henvcfg fields, addressing the core virtualization enforcement failure.
Verifies correct operation of hypervisor CSR masking and update mechanisms against RISC-V specifications, enabling detection and correction of the configuration propagation flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Network-accessible unauthenticated exploitation of hypervisor CSR flaw directly enables T1190; incorrect menvcfg-to-henvcfg propagation allows privilege escalation across virtualization boundaries (T1068) and escape from emulated guest/hypervisor context to host (T1611); resulting traps and availability impact map to application/system exploitation for DoS (T1499.004).
NVD Description
NEMU contains an implementation flaw in its RISC-V Hypervisor CSR handling where henvcfg[7:4] (CBIE/CBCFE/CBZE-related fields) is incorrectly masked/updated based on menvcfg[7:4], so a machine-mode write to menvcfg can implicitly modify the hypervisor's environment configuration. This can lead to incorrect enforcement…
more
of virtualization configuration and may cause unexpected traps or denial of service when executing cache-block management instructions in virtualized contexts (V=1).
Deeper analysisAI
CVE-2026-29649 is a high-severity vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in NEMU, an RISC-V emulator, stemming from an implementation flaw in its hypervisor CSR handling. Specifically, the henvcfg[7:4] fields (related to CBIE, CBCFE, and CBZE) are incorrectly masked or updated based on menvcfg[7:4]. This allows a machine-mode write to menvcfg to implicitly modify the hypervisor's environment configuration, leading to improper enforcement of virtualization settings and potential unexpected traps or denial of service during execution of cache-block management instructions in virtualized contexts (V=1). The issue is classified under CWE-693.
Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction. Exploitation occurs through manipulation of machine-mode writes that propagate to hypervisor configuration, disrupting virtualization enforcement. This enables high-impact outcomes, including confidentiality breaches, integrity violations, and availability disruptions such as traps or denial of service in affected virtualized environments.
Advisories reference RISC-V ISA specifications for hypervisor and machine privilege CSRs, alongside NEMU GitHub issue #681 documenting the flaw and pull request #689 providing a corrective patch. Security practitioners should update NEMU using the fix in PR #689 and verify CSR handling aligns with official RISC-V documentation to mitigate risks.
Details
- CWE(s)