{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29647", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-21T19:50:43.685Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T20:49:54.460Z"}, "descriptions": [{"lang": "en", "value": "In OpenXiangShan NEMU, insufficient Smstateen permission enforcement allows lower-privileged code to access IMSIC state via stopei/vstopei CSRs even when mstateen0.IMSIC is cleared, potentially enabling cross-context information leakage or disruption of interrupt handling."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/OpenXiangShan/NEMU/issues/691"}, {"url": "https://github.com/OpenXiangShan/XiangShan/pull/3978"}, {"url": "https://docs.riscv.org/reference/isa/priv/smstateen.html#state-enable-0-registers"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-269", "lang": "en", "description": "CWE-269 Improper Privilege Management"}]}], "references": [{"url": "https://github.com/OpenXiangShan/NEMU/issues/691", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T18:25:36.668156Z", "id": "CVE-2026-29647", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:50:43.685Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29647", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T18:25:36.668156Z"}}}], "references": [{"url": "https://github.com/OpenXiangShan/NEMU/issues/691", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T18:25:27.685Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/OpenXiangShan/NEMU/issues/691"}, {"url": "https://github.com/OpenXiangShan/XiangShan/pull/3978"}, {"url": "https://docs.riscv.org/reference/isa/priv/smstateen.html#state-enable-0-registers"}], "descriptions": [{"lang": "en", "value": "In OpenXiangShan NEMU, insufficient Smstateen permission enforcement allows lower-privileged code to access IMSIC state via stopei/vstopei CSRs even when mstateen0.IMSIC is cleared, potentially enabling cross-context information leakage or disruption of interrupt handling."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T20:49:54.460Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29647", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:50:43.685Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenXiangShan NEMU, insufficient Smstateen permission enforcement allows lower-privileged code to access IMSIC state via stopei/vstopei CSRs even when mstateen0.IMSIC is cleared, potentially enabling cross-context information leakage or disruption of interrupt handling."}], "id": "CVE-2026-29647", "lastModified": "2026-04-21T20:16:40.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-20T21:16:19.637", "references": [{"source": "cve@mitre.org", "url": "https://docs.riscv.org/reference/isa/priv/smstateen.html#state-enable-0-registers"}, {"source": "cve@mitre.org", "url": "https://github.com/OpenXiangShan/NEMU/issues/691"}, {"source": "cve@mitre.org", "url": "https://github.com/OpenXiangShan/XiangShan/pull/3978"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/OpenXiangShan/NEMU/issues/691"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T07:37:26.493128+00:00", "value": {"mitigation_remediation": ["Apply the latest NEMU release that includes the Smstateen permission check patch as indicated in the upstream pull request", "If a patched version cannot be obtained, modify the emulator to enforce that stopei and vstopei CSRs are only executable when the mstateen0.IMSIC bit is set, effectively rejecting access from lower\u2011privileged contexts", "Where possible, disable IMSIC functionality or partition it per virtual context to prevent cross\u2011context data exposure, and restrict untrusted code from accessing privileged CSR space"], "summary": {"action": "Assess Impact", "impact": "Information Disclosure and Potential Interrupt Handling Disruption"}, "threat_synthesis": {"affected_systems": "OpenXiangShan NEMU emulates RISC\u2011V ISA and implements the Smstateen mechanism to guard access to privileged CSRs. The flaw exists in any NEMU build that uses the described SMstateen check without the fix; no version range is specified in the CNA data, so all current releases that implement the unpatched logic are potentially affected.", "description_and_impact": "This vulnerability stems from an insufficient enforcement of Smstateen permission checks in OpenXiangShan NEMU. When the mstateen0.IMSIC bit is cleared, lower\u2011privileged code can still read the IMSIC state through the stopei and vstopei CSRs, enabling an attacker to gather information about other contexts\u2019 interrupt states or to interfere with interrupt handling, thereby compromising both confidentiality and availability.", "risk_and_exploitability": "The CVSS score is 6.5, reflecting moderate severity. The EPSS score is less than 1%, indicating a low probability of exploitation. Because the flaw requires an attacker to run low\u2011privileged code that can access the stopei/vstopei CSRs, it is typically a local privilege escalation scenario. When leveraged, the vulnerability can leak cross\u2011context interrupt state information or disrupt interrupt handling, compromising confidentiality and availability in multi\u2011context emulator environments. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no confirmed exploitation yet, but the potential impact warrants careful mitigation."}}}}, "created": "2026-04-21T16:00:13.259627+00:00", "title": "OpenXiangShan NEMU Cross-Context IMSIC State Leakage", "updated": "2026-04-22T07:45:11.739555+00:00", "vendors": []}