VYPR
← All advisories
High severity7.1NVD Advisory· Published Jul 20, 2017· Updated May 13, 2026

CVE-2017-11472

CVE-2017-11472

Description

The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ACPI table handler in Linux kernel before 4.12 leaks operand cache, enabling local KASLR bypass via kernel address disclosure.

Vulnerability

The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c of the Linux kernel (before version 4.12) fails to flush the ACPI operand cache when terminating the ACPI namespace. This results in a kernel stack dump containing sensitive kernel memory addresses. To reach this code path, a local user must be able to load a crafted ACPI table, which requires the CAP_SYS_RAWIO capability or root privileges. Affected versions: Linux kernel before 4.12 (the issue is fixed in commit 3b2d69114fefa474fca542e51119036dceb4aa6f).

Exploitation

An attacker with local access and the ability to load ACPI tables (e.g., via acpi_load_table or by triggering a module-level ACPI code path) can supply a malicious ACPI table. The kernel, when processing the crafted table, triggers the vulnerable acpi_ns_terminate() path, which does not properly free the operand cache. The subsequent kernel stack dump (a kernel log message) will include residual kernel memory addresses from the operand cache, which are otherwise not accessible to userspace.

Impact

Successful exploitation allows a local attacker to obtain sensitive kernel memory addresses (information disclosure). This directly defeats the Kernel Address Space Layout Randomization (KASLR) protection mechanism (in kernels through 4.9), as the leaked addresses can be used to calculate the kernel base address, facilitating further exploitation such as privilege escalation. No arbitrary code execution or privilege escalation is directly achieved, but the attacker gains a critical information leak that weakens other kernel defenses.

Mitigation

The fix was applied in Linux kernel version 4.12 via commit 3b2d69114fefa474fca542e51119036dceb4aa6f [4]. Ubuntu and other distributions have backported the fix to their stable kernels; see Ubuntu Security Notices USN-3754-1 [1], USN-3619-2 [2], and USN-3619-1 [3] for details. Users should update to a patched kernel version. For systems that cannot be updated, restricting local access and disabling loading of arbitrary ACPI tables may reduce exposure, but the recommended mitigation is to apply the kernel update.

References
  1. USN-3754-1: Linux kernel vulnerabilities | Ubuntu security notices | Ubuntu
  2. USN-3619-2: Linux kernel (Xenial HWE) vulnerabilities | Ubuntu security notices | Ubuntu
  3. USN-3619-1: Linux kernel vulnerabilities | Ubuntu security notices | Ubuntu
  4. ACPICA: Namespace: fix operand cache leak · torvalds/linux@3b2d691

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

36

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.