CVE-2026-29642

CVSS 7.8 HIGHEPSS 0.1%CWE-1244

In short

A local attacker with privileged access can manipulate special processor registers (menvcfg) in XiangShan processors to incorrectly modify reserved bits that should never change. This breaks the processor's security model and can lead to unpredictable behavior or privilege escalation.

Technical detail

The vulnerability allows a local attacker with M-mode execution capability to perform crafted CSR read/write operations on menvcfg that violate RISC-V specifications by setting WPRI (Write Preserve, Read Ignore) bits. On affected XiangShan versions, these operations unexpectedly modify reserved bits in the xstatus view, circumventing the write-preservation guarantee that prevents software from altering fields outside its intended scope.

Summary generated and translated by AI from the official description.

A local attacker who can execute privileged CSR operations (or can induce firmware to do so) performs carefully crafted reads/writes to menvcfg (e.g., csrrs in M-mode). On affected XiangShan versions (commit aecf601e803bfd2371667a3fb60bfcd83c333027, 2024-11-19), these menvcfg accesses can unexpectedly set WPRI (reserved) bits in the status view (xstatus) to 1. RISC-V defines WPRI fields as "writes preserve values, reads ignore values," i.e., they must not be modified by software manipulating other fields, and menvcfg itself contains multiple WPRI fields.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://docs.riscv.org/reference/isa/priv/machine.html https://docs.riscv.org/reference/isa/priv/priv-csrs.html https://github.com/OpenXiangShan/XiangShan/commit/5e3dd63 https://github.com/OpenXiangShan/XiangShan/issues/3934