In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor interrupt-enable CSR (sie) may be handled incorrectly and can influence machine-level interrupt enable state (mie). This breaks privilege/virtualization isolation and can lead to denial of service or privilege-boundary violation in environments relying on NEMU for correct interrupt virtualization.
The RVH extension for RISC-V architecture defines a strict hierarchy of privilege levels: machine (M), supervisor (S), and virtual supervisor (VS). A guest running in VS-mode writing to the sie (supervisor interrupt-enable) CSR register should be isolated and not affect the mie (machine interrupt-enable) register, which belongs to the highest privilege level. In NEMU versions prior to commit 55295c4, the handling of this write is incorrect, allowing a VS-mode guest to modify machine-level interrupt state without required privileges. This violates the fundamental principle of virtualization layer isolation.
An attacker or malicious code running in the guest environment (VS-mode) can cause denial of service (DoS) by disrupting machine interrupt handling or violate privilege boundaries in NEMU-based virtualization environments for interrupt virtualization.
Update OpenXiangShan NEMU to a version containing commit 55295c4 or later. Details are available in the vendor references and GitHub issue #951.
OpenXiangShan NEMU in all versions preceding commit 55295c4, running with the RVH (RISC-V Hypervisor extension) enabled.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H