CVE-2026-29646

Description

In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor interrupt-enable CSR (sie) may be handled incorrectly and can influence machine-level interrupt enable state (mie). This breaks privilege/virtualization isolation and can lead to denial of service or privilege-boundary violation in environments relying on NEMU for correct interrupt virtualization.

CVSS v3.1 Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS — Exploit Prediction

0.0008

Probability of exploitation

0.24%

Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-267 CWE-267

References

Other References

https://docs.riscv.org/reference/isa/priv/hypervisor.html https://docs.riscv.org/reference/isa/priv/machine.html https://docs.riscv.org/reference/isa/priv/supervisor.html https://docs.riscv.org/reference/isa/unpriv/zicsr.html https://github.com/OpenXiangShan/NEMU/issues/951 https://github.com/OpenXiangShan/NEMU/pull/938 https://github.com/OpenXiangShan/NEMU/pull/938/commits/55295c46580456d8d5a9d5736e1fda924b8825ab

Frequently Asked Questions

What is CVE-2026-29646? +

In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor interrupt-enable CSR (sie) may be handled incorrectly and can influence machine-level interrupt enable state (mie). This breaks privilege/virtualization isolation and can lead to denial of service or privilege-boundary violation in environments relying on NEMU for correct interrupt virtualization. It has a CVSS v3.1 base score of 9.8 (CRITICAL).

How severe is CVE-2026-29646? +

CVE-2026-29646 has a CVSS v3.1 score of 9.8 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately. The EPSS score is 0.0008, placing it in the 0th percentile for exploitation probability.

How do I check if I'm vulnerable to CVE-2026-29646? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-2903

An attacker with knowledge of creating user accounts during VM deployment on Google Cloud Platform (GCP) using the OS Login …

CVE-2024-39866 8.8

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows users …

CVE-2025-26467 8.8

Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges …

CVE-2024-55968 8.8

An issue was discovered in DTEX DEC-M (DTEX Forwarder) 6.1.1. The com.dtexsystems.helper service, responsible for handling privileged operations within the …

CVE-2025-23015 8.8