What is CVE-2023-53070?

CVE-2023-53070 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10, affecting Linux kernel versions from 5.19.4 onward and patched in 6.1.21, 6.2.8 and 6.3. CVE-2023-53070 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2023-53070?

CVE-2023-53070 has a CVSS score of 5.5 out of 10, rated Medium severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Is there a patch available for CVE-2023-53070?

Yes, CVE-2023-53070 has been patched. Fixed versions include 6.1.21, 6.2.8 and 6.3. If you are running Linux kernel 5.19.4 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2023-53070 actively exploited?

CVE-2023-53070 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2023-53070

Medium

In the Linux kernel, the following vulnerability has been resolved: ACPI: PPTT: Fix to avoid sleep in the atomic context when PPTT is absent Commit 0c80f9e165f8 ("ACPI: PPTT: Leave the table mapped for the runtime usage") enabled to map PPTT once on the first invocation of acpi_get_pptt() and never unmapped the same allowing it to be used at runtime with out the hassle of mapping and unmapping the table. This was needed to fetch LLC information from the PPTT in the cpuhotplug path which is executed in the atomic context as the acpi_get_table() might sleep waiting for a mutex. However it missed to handle the case when there is no PPTT on the system which results in acpi_get_pptt() being called from all the secondary CPUs attempting to fetch the LLC information in the atomic context without knowing the absence of PPTT resulting in the splat like below: | BUG: sleeping function called from invalid context at kernel/locking/semaphore.c:164 | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1 | preempt_count: 1, expected: 0 | RCU nest depth: 0, expected: 0 | no locks held by swapper/1/0. | irq event stamp: 0 | hardirqs last enabled at (0): 0x0 | hardirqs last disabled at (0): copy_process+0x61c/0x1b40 | softirqs last enabled at (0): copy_process+0x61c/0x1b40 | softirqs last disabled at (0): 0x0 | CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.3.0-rc1 #1 | Call trace: | dump_backtrace+0xac/0x138 | show_stack+0x30/0x48 | dump_stack_lvl+0x60/0xb0 | dump_stack+0x18/0x28 | __might_resched+0x160/0x270 | __might_sleep+0x58/0xb0 | down_timeout+0x34/0x98 | acpi_os_wait_semaphore+0x7c/0xc0 | acpi_ut_acquire_mutex+0x58/0x108 | acpi_get_table+0x40/0xe8 | acpi_get_pptt+0x48/0xa0 | acpi_get_cache_info+0x38/0x140 | init_cache_level+0xf4/0x118 | detect_cache_attributes+0x2e4/0x640 | update_siblings_masks+0x3c/0x330 | store_cpu_topology+0x88/0xf0 | secondary_start_kernel+0xd0/0x168 | __secondary_switched+0xb8/0xc0 Update acpi_get_pptt() to consider the fact that PPTT is once checked and is not available on the system and return NULL avoiding any attempts to fetch PPTT and thereby avoiding any possible sleep waiting for a mutex in the atomic context.

Package Linux Kernel

Published 2025-05-02

Last modified 2025-11-12

CVSS version 3.1

Patch available

Yes

CVSS 3.1 score

5.5

out of 10

Medium

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Weakness type

CWE-252

CVE-2023-53070 is classified as CWE-252

See CWE-252 on MITRE CWE for full details on this weakness type.

Affected versions

Linux kernel versions 5.19.4, 6.0 and later are affected. Fixed in 6.1.21, 6.2.8, 6.3 and their respective stable series.

Affected from

≥ 5.19.4 ≥ 6.0

Fixed in

✓ 6.1.21 6.1.x ✓ 6.2.8 6.2.x ✓ 6.3

References

The following references provide additional information about CVE-2023-53070 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/1318a07706bb2f8c65f88f39a16c2b5260bcdcd4
Patch
Kernel patch commit
https://git.kernel.org/stable/c/91d7b60a65d9f71230ea09b86d2058a884a3c2af
Patch
Kernel patch commit
https://git.kernel.org/stable/c/e0c1106d51b9abc8eae03c5522b20649b6a55f6e
Patch

Details

CVE ID CVE-2023-53070

Severity Medium

CVSS score 5.5 / 10

CVSS version 3.1

Published 2025-05-02

Modified 2025-11-12

KEV No

Patch

Yes

Package linux

Frequently asked questions

What is CVE-2023-53070?

CVE-2023-53070 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10 . It affects Linux kernel versions from 5.19.4 onward and has been patched in 6.1.21, 6.2.8 and 6.3. CVE-2023-53070 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2023-53070?

CVE-2023-53070 has a CVSS score of 5.5 out of 10, rated Medium severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Is there a patch available for CVE-2023-53070?

Yes — CVE-2023-53070 has been patched. Fixed versions include 6.1.21, 6.2.8 and 6.3. If you are running Linux kernel 5.19.4 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2023-53070 actively exploited?

No — CVE-2023-53070 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.