CVE-2023-53395: ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer
ACPICA commit 90310989a0790032f5a0140741ff09b545af4bc5
According to the ACPI specification 19.6.134, no argument is required to be passed for ASL Timer instruction. For taking care of no argument, AML_NO_OPERAND_RESOLVE flag is added to ASL Timer instruction opcode.
When ASL timer instruction interpreted by ACPI interpreter, getting error. After adding AML_NO_OPERAND_RESOLVE flag to ASL Timer instruction opcode, issue is not observed.
=============================================================
UBSAN: array-index-out-of-bounds in acpica/dswexec.c:401:12 index -1 is out of range for type 'union acpi_operand_object *[9]'
CPU: 37 PID: 1678 Comm: cat Not tainted
6.0.0-dev-th500-6.0.y-1+bcf8c46459e407-generic-64k
HW name: NVIDIA BIOS v1.1.1-d7acbfc-dirty 12/19/2022 Call trace:
dump_backtrace+0xe0/0x130
show_stack+0x20/0x60
dump_stack_lvl+0x68/0x84
dump_stack+0x18/0x34
ubsan_epilogue+0x10/0x50
__ubsan_handle_out_of_bounds+0x80/0x90
acpi_ds_exec_end_op+0x1bc/0x6d8
acpi_ps_parse_loop+0x57c/0x618
acpi_ps_parse_aml+0x1e0/0x4b4
acpi_ps_execute_method+0x24c/0x2b8
acpi_ns_evaluate+0x3a8/0x4bc
acpi_evaluate_object+0x15c/0x37c
acpi_evaluate_integer+0x54/0x15c
show_power+0x8c/0x12c [acpi_power_meter]
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel ACPI interpreter bug where a Timer instruction can be handled incorrectly, causing an out-of-bounds array access. Because it is in kernel code, successful abuse could be serious, but the provided evidence shows a local trigger and a sanitizer crash report, not confirmed real-world exploitation.
Executive priority
Treat as a high-priority kernel maintenance item, especially for shared Linux systems where local users or workloads are not fully trusted. There is no evidence of active exploitation in the bundle, so urgency should focus on patching cadence and exposure to local users.
Technical view
ACPICA interpreted ASL Timer as though an operand needed resolving, leading to index -1 access in acpica/dswexec.c. The fix adds AML_NO_OPERAND_RESOLVE to the Timer opcode. The CVSS vector is local, low complexity, low privilege, no user interaction, with high confidentiality, integrity, and availability impact.
Likely exposure
Exposure is limited to systems running affected Linux kernel versions or downstream kernels missing the referenced stable commits. Systems using ACPI paths such as acpi_power_meter may be more relevant, but the bundle does not define a complete hardware or distribution-specific exposure list.
Exploitation context
The CVSS vector requires local low-privileged access and no user interaction. CISA KEV status is false in the bundle, and no cited source claims active exploitation. The available evidence is a UBSAN out-of-bounds report during ACPI method evaluation.
Researcher notes
The source bundle supports the root cause and fix direction, but not a proven privilege escalation path. Avoid assuming affected distributions without advisory confirmation. The observed stack involves acpi_power_meter and acpi_evaluate_integer, which may help guide targeted validation.
Mitigation direction
Apply vendor Linux kernel updates containing the referenced stable fixes.
Check your distribution advisory for the exact fixed kernel package.
Prioritize internet-facing multi-user hosts and shared compute environments.
Track downstream kernel backports rather than relying only on upstream version numbers.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and images.
Compare installed kernels with vendor advisories and referenced stable commits.
Review logs for ACPI or UBSAN out-of-bounds reports in dswexec.c.
Confirm patched hosts boot the intended updated kernel.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-129: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
9Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-129 · source CWE mapping
Improper Validation of Array Index
Improper Validation of Array Index represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.