CVE-2026-29644

MEDIUM EPSS 1.1%
Published Apr 21, 20262mo ago · Modified Jun 17, 20262w ago
5.3 CVSS 3.1
Medium
Find Similar
Published Apr 21, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

XiangShan (open-source high-performance RISC-V processor) commit edb1dfaf7d290ae99724594507dc46c2c2125384 (2024-11-28) has improper gating of its distributed CSR write-enable path, allowing illegal CSR write attempts to alter custom PMA (Physical Memory Attribute) CSR state. Though the RISC-V privileged specification requires an illegal-instruction exception for non-existent/illegal CSR accesses, affected XiangShan versions may still propagate such writes to replicated PMA configuration state. Local attackers able to execute code on the core (privilege context depends on system integration) can exploit this to tamper with memory-attribute enforcement, potentially leading to privilege escalation, information disclosure, or denial of service depending on how PMA enforces platform security and isolation boundaries.

CVSS Details

Base Score
5.3
Exploitability
1.8
Impact
3.4
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Low
Availability Low

Threat Intelligence

EPSS Exploit Probability
1.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-284

References 5

  • docs.riscv.org https://docs.riscv.org/reference/isa/priv/priv-csrs.html
  • github.com https://github.com/OpenXiangShan/XiangShan/commit/2b1f9796aa98597e5eeac32e5bb1418496987ca4
  • github.com https://github.com/OpenXiangShan/XiangShan/commit/edb1dfaf7d290ae99724594507dc46c2c2125384
  • github.com https://github.com/OpenXiangShan/XiangShan/issues/3959
  • xiangshan-doc-test.readthedocs.io https://xiangshan-doc-test.readthedocs.io/next/memory/mmu/pmp_pma/

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.