High severity7.5NVD Advisory· Published Apr 20, 2026· Updated Apr 24, 2026
CVE-2026-29645
CVE-2026-29645
Description
NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector (RVV) decoder. The decoder does not correctly validate the funct3 field when decoding vsetvli/vsetivli/vsetvl, allowing certain invalid OP-V instruction encodings to be misinterpreted and executed as vset* configuration instructions rather than raising an illegal-instruction exception. This can be exploited by providing crafted RISC-V binaries to cause incorrect trap behavior, architectural state corruption/divergence, and potential denial of service in systems that rely on NEMU for correct execution or sandboxing.
Affected products
1Patches
1481de637d5fcfix(vector): remove incorrect decode for some insts (#958)
1 file changed · +8 −22
src/isa/riscv64/instr/rvv/decode.h+8 −22 modified@@ -204,7 +204,7 @@ def_THelper(vopivv) { def_INSTR_TAB("010101 ? ????? ????? ??? ????? ????? ??", vrol); def_INSTR_TAB("010100 ? ????? ????? ??? ????? ????? ??", vror); def_INSTR_TAB("110101 ? ????? ????? ??? ????? ????? ??", vwsll); - + return EXEC_ID_inv; } @@ -265,7 +265,7 @@ def_THelper(vopivx) { def_INSTR_TAB("010101 ? ????? ????? ??? ????? ????? ??", vrol); def_INSTR_TAB("010100 ? ????? ????? ??? ????? ????? ??", vror); def_INSTR_TAB("110101 ? ????? ????? ??? ????? ????? ??", vwsll); - + return EXEC_ID_inv; } @@ -324,7 +324,7 @@ def_THelper(vopivi) { def_INSTR_TAB("01010 ? ? ????? ????? ??? ????? ????? ??", vror); def_INSTR_TAB("110101 ? ????? ????? ??? ????? ????? ??", vwsll); - + return EXEC_ID_inv; } @@ -344,6 +344,7 @@ def_THelper(vopmvv) { def_INSTR_TAB("001001 ? ????? ????? ??? ????? ????? ??", vaadd); def_INSTR_TAB("001010 ? ????? ????? ??? ????? ????? ??", vasubu); def_INSTR_TAB("001011 ? ????? ????? ??? ????? ????? ??", vasub); + def_INSTR_TAB("010000 ? ????? ????? ??? ????? ????? ??", vwxunary0_dispatch); def_INSTR_IDTAB("010010 ? ????? ????? ??? ????? ????? ??", vxunary0_dispatch, vxunary0_dispatch); def_INSTR_TAB("010100 ? ????? ????? ??? ????? ????? ??", vmunary0_dispatch); @@ -356,6 +357,7 @@ def_THelper(vopmvv) { def_INSTR_TAB("011101 ? ????? ????? ??? ????? ????? ??", vmnand); def_INSTR_TAB("011110 ? ????? ????? ??? ????? ????? ??", vmnor); def_INSTR_TAB("011111 ? ????? ????? ??? ????? ????? ??", vmxnor); + def_INSTR_TAB("100000 ? ????? ????? ??? ????? ????? ??", vdivu); def_INSTR_TAB("100001 ? ????? ????? ??? ????? ????? ??", vdiv); def_INSTR_TAB("100010 ? ????? ????? ??? ????? ????? ??", vremu); @@ -368,6 +370,7 @@ def_THelper(vopmvv) { def_INSTR_TAB("101011 ? ????? ????? ??? ????? ????? ??", vnmsub); def_INSTR_TAB("101101 ? ????? ????? ??? ????? ????? ??", vmacc); def_INSTR_TAB("101111 ? ????? ????? ??? ????? ????? ??", vnmsac); + def_INSTR_TAB("110000 ? ????? ????? ??? ????? ????? ??", vwaddu); def_INSTR_TAB("110001 ? ????? ????? ??? ????? ????? ??", vwadd); def_INSTR_TAB("110010 ? ????? ????? ??? ????? ????? ??", vwsubu); @@ -381,7 +384,6 @@ def_THelper(vopmvv) { def_INSTR_TAB("111011 ? ????? ????? ??? ????? ????? ??", vwmul); def_INSTR_TAB("111100 ? ????? ????? ??? ????? ????? ??", vwmaccu); def_INSTR_TAB("111101 ? ????? ????? ??? ????? ????? ??", vwmacc); - def_INSTR_TAB("111110 ? ????? ????? ??? ????? ????? ??", vwmaccus); def_INSTR_TAB("111111 ? ????? ????? ??? ????? ????? ??", vwmaccsu); return EXEC_ID_inv; @@ -391,32 +393,15 @@ def_THelper(vopmvx) { if (!vp_enable()) { return EXEC_ID_inv; } - def_INSTR_TAB("000000 ? ????? ????? ??? ????? ????? ??", vredsum); - def_INSTR_TAB("000001 ? ????? ????? ??? ????? ????? ??", vredand); - def_INSTR_TAB("000010 ? ????? ????? ??? ????? ????? ??", vredor); - def_INSTR_TAB("000011 ? ????? ????? ??? ????? ????? ??", vredxor); - def_INSTR_TAB("000100 ? ????? ????? ??? ????? ????? ??", vredminu); - def_INSTR_TAB("000101 ? ????? ????? ??? ????? ????? ??", vredmin); - def_INSTR_TAB("000110 ? ????? ????? ??? ????? ????? ??", vredmaxu); - def_INSTR_TAB("000111 ? ????? ????? ??? ????? ????? ??", vredmax); def_INSTR_TAB("001000 ? ????? ????? ??? ????? ????? ??", vaaddu); def_INSTR_TAB("001001 ? ????? ????? ??? ????? ????? ??", vaadd); def_INSTR_TAB("001010 ? ????? ????? ??? ????? ????? ??", vasubu); def_INSTR_TAB("001011 ? ????? ????? ??? ????? ????? ??", vasub); - def_INSTR_TAB("001110 ? ????? ????? ??? ????? ????? ??", vslide1up); def_INSTR_TAB("001111 ? ????? ????? ??? ????? ????? ??", vslide1down); def_INSTR_TAB("010000 ? ????? ????? ??? ????? ????? ??", vrxunary0_dispatch); - def_INSTR_TAB("010111 ? ????? ????? ??? ????? ????? ??", vcompress); - def_INSTR_TAB("011000 ? ????? ????? ??? ????? ????? ??", vmandnot); - def_INSTR_TAB("011001 ? ????? ????? ??? ????? ????? ??", vmand); - def_INSTR_TAB("011010 ? ????? ????? ??? ????? ????? ??", vmor); - def_INSTR_TAB("011011 ? ????? ????? ??? ????? ????? ??", vmxor); - def_INSTR_TAB("011100 ? ????? ????? ??? ????? ????? ??", vmornot); - def_INSTR_TAB("011101 ? ????? ????? ??? ????? ????? ??", vmnand); - def_INSTR_TAB("011110 ? ????? ????? ??? ????? ????? ??", vmnor); - def_INSTR_TAB("011111 ? ????? ????? ??? ????? ????? ??", vmxnor); + def_INSTR_TAB("100000 ? ????? ????? ??? ????? ????? ??", vdivu); def_INSTR_TAB("100001 ? ????? ????? ??? ????? ????? ??", vdiv); def_INSTR_TAB("100010 ? ????? ????? ??? ????? ????? ??", vremu); @@ -429,6 +414,7 @@ def_THelper(vopmvx) { def_INSTR_TAB("101011 ? ????? ????? ??? ????? ????? ??", vnmsub); def_INSTR_TAB("101101 ? ????? ????? ??? ????? ????? ??", vmacc); def_INSTR_TAB("101111 ? ????? ????? ??? ????? ????? ??", vnmsac); + def_INSTR_TAB("110000 ? ????? ????? ??? ????? ????? ??", vwaddu); def_INSTR_TAB("110001 ? ????? ????? ??? ????? ????? ??", vwadd); def_INSTR_TAB("110010 ? ????? ????? ??? ????? ????? ??", vwsubu);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/OpenXiangShan/NEMU/commit/481de637d5fc5838356caee80a79e56a33754039nvdPatch
- docs.riscv.org/reference/isa/unpriv/v-st-ext.htmlnvdProduct
- github.com/OpenXiangShan/NEMU/issues/952nvdIssue Tracking
- github.com/OpenXiangShan/NEMU/pull/958nvdIssue Tracking
News mentions
0No linked articles in our index yet.