CVE-2023-53708

Vulnerability

Overview

CVE-2023-53708 is a memory leak vulnerability in the Linux kernel's ACPI subsystem, specifically in the x86/s2idle path. The root cause is that the code handling the AMD LPS0 _DSM (Device Specific Method) evaluation does not properly guard against receiving multiple ACPI_TYPE_PACKAGE objects from a malformed or malicious firmware. When such multiple packages are encountered, the kernel fails to free the previously allocated memory, leading to a leak [1][2].

Exploitation

Context

Exploitation requires a system with an AMD platform that supports the Low Power S0 Idle (LPS0) firmware interface. The attack vector is local is local, as the firmware is part of the system's UEFI/BIOS. An attacker with the ability to influence or provide a crafted firmware table (e.g., through a firmware update or physical access) could trigger the condition. No special privileges are needed beyond the ability to boot the system, as the leak occurs during normal ACPI table parsing at boot or resume time.

Impact

An attacker exploiting this vulnerability can cause a kernel memory leak, which over repeated boot cycles or resume events may exhaust system memory, leading to denial of service (DoS). The leak does not directly allow code execution or privilege escalation, but it can degrade system stability and availability.

Mitigation

The fix was applied to the Linux kernel stable tree in commits [1] and [2]. Users should update to a kernel version containing these patches. No workaround is available other than applying the kernel update. The vulnerability is not known to be exploited in the wild.