{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29643", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-21T19:50:32.463Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T21:18:39.405Z"}, "descriptions": [{"lang": "en", "value": "XiangShan (Open-source high-performance RISC-V processor) commit edb1dfaf7d290ae99724594507dc46c2c2125384 (2024-11-28) contains an improper exceptional-condition handling flaw in its CSR subsystem (NewCSR). On affected versions, certain sequences of CSR operations targeting non-existent/custom CSR addresses may trigger an illegal-instruction exception but fail to reliably transfer control to the configured trap handler (mtvec), causing control-flow disruption and potentially leaving the core in a hung or unrecoverable state. This can be exploited by a local attacker able to execute code on the processor to cause a denial of service and potentially inconsistent architectural state."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/OpenXiangShan/XiangShan/issues/3959"}, {"url": "https://github.com/OpenXiangShan/XiangShan/pull/3966"}, {"url": "https://docs.riscv.org/reference/isa/priv/priv-csrs.html"}, {"url": "https://docs.riscv.org/reference/isa/priv/machine.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-703", "lang": "en", "description": "CWE-703 Improper Check or Handling of Exceptional Conditions"}]}], "references": [{"url": "https://github.com/OpenXiangShan/XiangShan/issues/3959", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:14:23.875341Z", "id": "CVE-2026-29643", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:50:32.463Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29643", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:14:23.875341Z"}}}], "references": [{"url": "https://github.com/OpenXiangShan/XiangShan/issues/3959", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-703", "description": "CWE-703 Improper Check or Handling of Exceptional Conditions"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:17:00.415Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/OpenXiangShan/XiangShan/issues/3959"}, {"url": "https://github.com/OpenXiangShan/XiangShan/pull/3966"}, {"url": "https://docs.riscv.org/reference/isa/priv/priv-csrs.html"}, {"url": "https://docs.riscv.org/reference/isa/priv/machine.html"}], "descriptions": [{"lang": "en", "value": "XiangShan (Open-source high-performance RISC-V processor) commit edb1dfaf7d290ae99724594507dc46c2c2125384 (2024-11-28) contains an improper exceptional-condition handling flaw in its CSR subsystem (NewCSR). On affected versions, certain sequences of CSR operations targeting non-existent/custom CSR addresses may trigger an illegal-instruction exception but fail to reliably transfer control to the configured trap handler (mtvec), causing control-flow disruption and potentially leaving the core in a hung or unrecoverable state. This can be exploited by a local attacker able to execute code on the processor to cause a denial of service and potentially inconsistent architectural state."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T21:18:39.405Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29643", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:50:32.463Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "XiangShan (Open-source high-performance RISC-V processor) commit edb1dfaf7d290ae99724594507dc46c2c2125384 (2024-11-28) contains an improper exceptional-condition handling flaw in its CSR subsystem (NewCSR). On affected versions, certain sequences of CSR operations targeting non-existent/custom CSR addresses may trigger an illegal-instruction exception but fail to reliably transfer control to the configured trap handler (mtvec), causing control-flow disruption and potentially leaving the core in a hung or unrecoverable state. This can be exploited by a local attacker able to execute code on the processor to cause a denial of service and potentially inconsistent architectural state."}], "id": "CVE-2026-29643", "lastModified": "2026-04-21T20:16:40.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-20T22:16:23.507", "references": [{"source": "cve@mitre.org", "url": "https://docs.riscv.org/reference/isa/priv/machine.html"}, {"source": "cve@mitre.org", "url": "https://docs.riscv.org/reference/isa/priv/priv-csrs.html"}, {"source": "cve@mitre.org", "url": "https://github.com/OpenXiangShan/XiangShan/issues/3959"}, {"source": "cve@mitre.org", "url": "https://github.com/OpenXiangShan/XiangShan/pull/3966"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/OpenXiangShan/XiangShan/issues/3959"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-703"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "edb1dfaf7d290ae99724594507dc46c2c2125384"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "xiangshan", "vendor": "openxiangshan"}], "analysis": {"en": {"generated_at": "2026-04-22T05:58:28.505583+00:00", "value": {"mitigation_remediation": ["Check the XiangShan GitHub repository for any updates or patches that address the CSR exception handling flaw.", "Apply any identified firmware or microcode updates that correct the improper exception transfer to mtvec.", "Restrict the execution of untrusted code on affected RISC\u2011V cores to prevent local exploitation of the flaw."], "summary": {"action": "Mitigate", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected platform is the XiangShan open\u2011source high\u2011performance RISC\u2011V processor identified by the commit edb1dfaf7d290ae99724594507dc46c2c2125384 released on 2024\u201111\u201128. No vendor\u2011specific product names or version ranges are publicly listed; the flaw applies to the indicated commit and any derived builds that have not applied the fix.", "description_and_impact": "The flaw originates from improper handling of exceptional conditions within the CSR subsystem (NewCSR). When a sequence of CSR operations targets a non\u2011existent or custom CSR address, the processor may raise an illegal\u2011instruction exception but fails to reliably transfer control to the configured trap handler (mtvec). This control\u2011flow disruption can leave the core hung or in an unrecoverable state, providing a local attacker who can execute code on the processor with the ability to trigger a denial of service and potentially corrupt architectural state.", "risk_and_exploitability": "The vulnerability is exploitable only in environments where an attacker has local code\u2011execution privilege on the processor, as the flaw requires the ability to issue malformed CSR instructions. The CVSS score of 7.1 indicates a medium severity, while the EPSS score of <1% suggests low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. While the impacted asset is a single core, the denial of service could affect systems that rely on that core for critical workloads. The risk is considered medium to high in contexts where local attackers are a concern and no mitigation is in place."}}}}, "created": "2026-04-20T22:30:19.706074+00:00", "title": "Improper Exception Handling in XiangShan CSR Subsystem Allows Local Denial of Service", "updated": "2026-04-22T06:00:09.671501+00:00", "vendors": ["openxiangshan", "openxiangshan$PRODUCT$xiangshan"]}