{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29649", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-21T19:51:00.279Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T19:56:57.812Z"}, "descriptions": [{"lang": "en", "value": "NEMU contains an implementation flaw in its RISC-V Hypervisor CSR handling where henvcfg[7:4] (CBIE/CBCFE/CBZE-related fields) is incorrectly masked/updated based on menvcfg[7:4], so a machine-mode write to menvcfg can implicitly modify the hypervisor's environment configuration. This can lead to incorrect enforcement of virtualization configuration and may cause unexpected traps or denial of service when executing cache-block management instructions in virtualized contexts (V=1)."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/OpenXiangShan/NEMU/issues/681"}, {"url": "https://github.com/OpenXiangShan/NEMU/pull/689"}, {"url": "https://docs.riscv.org/reference/isa/priv/machine.html"}, {"url": "https://docs.riscv.org/reference/isa/priv/hypervisor.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-693", "lang": "en", "description": "CWE-693 Protection Mechanism Failure"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T13:47:02.557376Z", "id": "CVE-2026-29649", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:51:00.279Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/OpenXiangShan/NEMU/issues/681"}, {"url": "https://github.com/OpenXiangShan/NEMU/pull/689"}, {"url": "https://docs.riscv.org/reference/isa/priv/machine.html"}, {"url": "https://docs.riscv.org/reference/isa/priv/hypervisor.html"}], "descriptions": [{"lang": "en", "value": "NEMU contains an implementation flaw in its RISC-V Hypervisor CSR handling where henvcfg[7:4] (CBIE/CBCFE/CBZE-related fields) is incorrectly masked/updated based on menvcfg[7:4], so a machine-mode write to menvcfg can implicitly modify the hypervisor's environment configuration. This can lead to incorrect enforcement of virtualization configuration and may cause unexpected traps or denial of service when executing cache-block management instructions in virtualized contexts (V=1)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T19:56:57.812Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29649", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T13:47:02.557376Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693 Protection Mechanism Failure"}]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-21T13:49:49.167Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-29649", "state": "PUBLISHED", "dateUpdated": "2026-04-20T19:56:57.812Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NEMU contains an implementation flaw in its RISC-V Hypervisor CSR handling where henvcfg[7:4] (CBIE/CBCFE/CBZE-related fields) is incorrectly masked/updated based on menvcfg[7:4], so a machine-mode write to menvcfg can implicitly modify the hypervisor's environment configuration. This can lead to incorrect enforcement of virtualization configuration and may cause unexpected traps or denial of service when executing cache-block management instructions in virtualized contexts (V=1)."}], "id": "CVE-2026-29649", "lastModified": "2026-04-21T20:16:41.027", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-20T20:16:48.410", "references": [{"source": "cve@mitre.org", "url": "https://docs.riscv.org/reference/isa/priv/hypervisor.html"}, {"source": "cve@mitre.org", "url": "https://docs.riscv.org/reference/isa/priv/machine.html"}, {"source": "cve@mitre.org", "url": "https://github.com/OpenXiangShan/NEMU/issues/681"}, {"source": "cve@mitre.org", "url": "https://github.com/OpenXiangShan/NEMU/pull/689"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T08:54:51.467573+00:00", "value": {"mitigation_remediation": ["Upgrade NEMU to the most recent release that incorporates the patch from GitHub PR #689", "If upgrading is not immediately possible, restrict or disable machine\u2011mode writes to menvcfg in the hypervisor configuration, or apply custom tooling to detect and prevent unintended CSRs updates", "Implement validation checks that enforce consistency between henvcfg[7:4] and menvcfg[7:4] whenever either CSR is written", "Monitor the emulator for unexpected cache\u2011block management instruction failures or traps, and configure alerts for sudden service interruptions"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw exists in the NEMU RISC\u2011V emulator. No specific version list is provided, so all instances of NEMU that employ the hypervisor CSR handling described are potentially affected. Because the vulnerability originates from the emulator\u2019s core implementation, any build or fork that has not incorporated the recent fix is at risk.", "description_and_impact": "NEMU\u2019s RISC\u2011V hypervisor contains an implementation flaw where the hypervisor configuration CSR fields henvcfg[7:4] are inappropriately masked and updated based on the machine\u2011mode configuration CSR menvcfg[7:4]. A write to menvcfg from machine mode implicitly changes the hypervisor\u2019s environment configuration. This misconfiguration can cause the hypervisor to enforce incorrect virtualization settings, potentially triggering unexpected traps or resulting in a denial of service when executing cache\u2011block management instructions in a virtualised context (V=1). The vulnerability allows a privileged attacker to influence hypervisor behaviour without direct hypervisor accesses, compromising availability.", "risk_and_exploitability": "The EPSS score is <1%, the CVSS score is 9.8, and the vulnerability is not listed in the CISA KEV catalog, indicating a high severity with low probability of exploitation. Based on the description, the likely attack vector involves a machine\u2011mode write operation that inadvertently alters hypervisor settings; such an attack would require access to a process with machine\u2011mode privileges or the ability to run arbitrary code within the emulator. The vulnerability could be exploited to cause denial of service or misconfigure virtual machines, impacting integrity of the hypervisor environment."}}}}, "created": "2026-04-21T16:00:13.259917+00:00", "updated": "2026-04-22T09:00:09.443019+00:00", "vendors": []}