{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29642", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-21T19:50:54.758Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T20:30:19.577Z"}, "descriptions": [{"lang": "en", "value": "A local attacker who can execute privileged CSR operations (or can induce firmware to do so) performs carefully crafted reads/writes to menvcfg (e.g., csrrs in M-mode). On affected XiangShan versions (commit aecf601e803bfd2371667a3fb60bfcd83c333027, 2024-11-19), these menvcfg accesses can unexpectedly set WPRI (reserved) bits in the status view (xstatus) to 1. RISC-V defines WPRI fields as \"writes preserve values, reads ignore values,\" i.e., they must not be modified by software manipulating other fields, and menvcfg itself contains multiple WPRI fields."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/OpenXiangShan/XiangShan/issues/3934"}, {"url": "https://github.com/OpenXiangShan/XiangShan/commit/5e3dd63"}, {"url": "https://docs.riscv.org/reference/isa/priv/priv-csrs.html"}, {"url": "https://docs.riscv.org/reference/isa/priv/machine.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1244", "lang": "en", "description": "CWE-1244 Internal Asset Exposed to Unsafe Debug Access Level or State"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T13:51:42.441940Z", "id": "CVE-2026-29642", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:50:54.758Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/OpenXiangShan/XiangShan/issues/3934"}, {"url": "https://github.com/OpenXiangShan/XiangShan/commit/5e3dd63"}, {"url": "https://docs.riscv.org/reference/isa/priv/priv-csrs.html"}, {"url": "https://docs.riscv.org/reference/isa/priv/machine.html"}], "descriptions": [{"lang": "en", "value": "A local attacker who can execute privileged CSR operations (or can induce firmware to do so) performs carefully crafted reads/writes to menvcfg (e.g., csrrs in M-mode). On affected XiangShan versions (commit aecf601e803bfd2371667a3fb60bfcd83c333027, 2024-11-19), these menvcfg accesses can unexpectedly set WPRI (reserved) bits in the status view (xstatus) to 1. RISC-V defines WPRI fields as \"writes preserve values, reads ignore values,\" i.e., they must not be modified by software manipulating other fields, and menvcfg itself contains multiple WPRI fields."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T20:30:19.577Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29642", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T13:51:42.441940Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1244", "description": "CWE-1244 Internal Asset Exposed to Unsafe Debug Access Level or State"}]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-21T13:52:14.379Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-29642", "state": "PUBLISHED", "dateUpdated": "2026-04-20T20:30:19.577Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A local attacker who can execute privileged CSR operations (or can induce firmware to do so) performs carefully crafted reads/writes to menvcfg (e.g., csrrs in M-mode). On affected XiangShan versions (commit aecf601e803bfd2371667a3fb60bfcd83c333027, 2024-11-19), these menvcfg accesses can unexpectedly set WPRI (reserved) bits in the status view (xstatus) to 1. RISC-V defines WPRI fields as \"writes preserve values, reads ignore values,\" i.e., they must not be modified by software manipulating other fields, and menvcfg itself contains multiple WPRI fields."}], "id": "CVE-2026-29642", "lastModified": "2026-04-21T20:16:40.063", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-20T21:16:19.393", "references": [{"source": "cve@mitre.org", "url": "https://docs.riscv.org/reference/isa/priv/machine.html"}, {"source": "cve@mitre.org", "url": "https://docs.riscv.org/reference/isa/priv/priv-csrs.html"}, {"source": "cve@mitre.org", "url": "https://github.com/OpenXiangShan/XiangShan/commit/5e3dd63"}, {"source": "cve@mitre.org", "url": "https://github.com/OpenXiangShan/XiangShan/issues/3934"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1244"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "aecf601e803bfd2371667a3fb60bfcd83c333027"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "5e3dd63"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "xiangshan", "vendor": "openxiangshan"}], "analysis": {"en": {"generated_at": "2026-04-22T07:38:00.772384+00:00", "value": {"mitigation_remediation": ["Update XiangShan firmware to a version that includes the commit 5e3dd63 or later to correct the menvcfg handling.", "Restrict execution of privileged CSR operations to only those processes that absolutely require them, and audit the firmware to eliminate unnecessary menvcfg writes.", "Implement runtime monitoring for writes to menvcfg or the status register so that unexpected modifications trigger an alert or safety\u2011mechanism."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation via Status Register Tampering"}, "threat_synthesis": {"affected_systems": "XiangShan firmware (OpenXiangShan) versions based on commit aecf601e803bfd2371667a3fb60bfcd83c333027 released 2024\u201111\u201119 are affected. No other vendors or products are listed as impacted.", "description_and_impact": "A local attacker who can execute privileged CSR operations on a XiangShan processor may carefully read and write the menvcfg register to set reserved bits in the machine status view. This manipulation violates the RISC\u2011V WPRI rule, which requires software to leave reserved bits unchanged, and represents a CWE\u20111244 vulnerability. The resulting corruption of the status register can alter privilege levels, bypass security checks, or destabilise the processor, potentially leading to privilege escalation or denial of service. The vulnerability is therefore an internal flaw that requires local, privileged code execution.", "risk_and_exploitability": "Because the exploit requires privileged CSR access, it is a local attack that normally implies root or firmware\u2011level control. An EPSS score of <\u202f1% and a KEV not listed, combined with a CVSS score of 7.8, indicate a substantial risk. However, the ability to corrupt reserved status bits suggests a high risk for the affected system: an adversary with the necessary privileges could gain additional privileges, disrupt correct operation, or cause a system crash. The attack path is straightforward: obtain privileged CSR access, read or write menvcfg, and set the reserved bits in xstatus, thereby violating the intended hardware semantics."}}}}, "created": "2026-04-21T00:15:16.115831+00:00", "title": "Privilege Escalation via Status Register Tampering on XiangShan RISC\u2011V Processors", "updated": "2026-04-22T07:45:11.739963+00:00", "vendors": ["openxiangshan", "openxiangshan$PRODUCT$xiangshan"]}