CRITICAL🇵🇱 Wersja polska

CVE-2026-29646

CVSS 9.8v3.1pub. 2026-04-20upd. 2026-04-21

In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor interrupt-enable CSR (sie) may be handled incorrectly and can influence machine-level interrupt enable state (mie). This breaks privilege/virtualization isolation and can lead to denial of service or privilege-boundary violation in environments relying on NEMU for correct interrupt virtualization.

🤖 AI Analysis
How it works

The RVH extension for RISC-V architecture defines a strict hierarchy of privilege levels: machine (M), supervisor (S), and virtual supervisor (VS). A guest running in VS-mode writing to the sie (supervisor interrupt-enable) CSR register should be isolated and not affect the mie (machine interrupt-enable) register, which belongs to the highest privilege level. In NEMU versions prior to commit 55295c4, the handling of this write is incorrect, allowing a VS-mode guest to modify machine-level interrupt state without required privileges. This violates the fundamental principle of virtualization layer isolation.

Impact

An attacker or malicious code running in the guest environment (VS-mode) can cause denial of service (DoS) by disrupting machine interrupt handling or violate privilege boundaries in NEMU-based virtualization environments for interrupt virtualization.

Mitigation & patch

Update OpenXiangShan NEMU to a version containing commit 55295c4 or later. Details are available in the vendor references and GitHub issue #951.

Who is affected

OpenXiangShan NEMU in all versions preceding commit 55295c4, running with the RVH (RISC-V Hypervisor extension) enabled.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
DoS
CWE
References