diff --git a/acpica-tools.spec b/acpica-tools.spec
index bb6ceb4..c1cd0e5 100644
--- a/acpica-tools.spec
+++ b/acpica-tools.spec
@@ -38,6 +38,7 @@ Patch11:        be-tpm2.patch
 Patch12:        mips-be-fix.patch
 Patch13:        cve-2017-13693.patch
 Patch14:        cve-2017-13694.patch
+Patch15:        cve-2017-13695.patch
 
 BuildRequires:  bison patchutils flex
 
@@ -102,6 +103,7 @@ gzip -dc %{SOURCE1} | tar -x --strip-components=1 -f -
 %patch12 -p1 -b .mips-be-fix
 %patch13 -p1 -b .cve-2017-13693
 %patch14 -p1 -b .cve-2017-13694
+%patch15 -p1 -b .cve-2017-13695
 
 cp -p %{SOURCE2} README.Fedora
 cp -p %{SOURCE3} iasl.1
@@ -202,6 +204,9 @@ fi
   fix the leak.  Resolves BZ#1485346.
 - CVE-2017-13694: acpi parse and parseext cache leaks in psobjects.c -- applied
   github patch to fix the leaks.  Resolves BZ#1485348.
+- CVE-2017-13695: operand cache leak in nseval.c -- applied github patch to fix
+  the leak.  Resolves BZ#1485349.
+- Security fixes for the CVEs above applied.  Closes BZ#1485355.
 
 * Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 20180105-3
 - Escape macros in %%changelog
diff --git a/cve-2017-13695.patch b/cve-2017-13695.patch
new file mode 100644
index 0000000..6f0780d
--- /dev/null
+++ b/cve-2017-13695.patch
@@ -0,0 +1,90 @@
+From 37f2c716f2c6ab14c3ba557a539c3ee3224931b5 Mon Sep 17 00:00:00 2001
+From: Seunghun Han <kkamagui@gmail.com>
+Date: Wed, 19 Jul 2017 17:04:44 +0900
+Subject: [PATCH] acpi: acpica: fix acpi operand cache leak in nseval.c
+
+I found an ACPI cache leak in ACPI early termination and boot continuing case.
+
+When early termination occurs due to malicious ACPI table, Linux kernel
+terminates ACPI function and continues to boot process. While kernel terminates
+ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.
+
+Boot log of ACPI operand cache leak is as follows:
+>[    0.464168] ACPI: Added _OSI(Module Device)
+>[    0.467022] ACPI: Added _OSI(Processor Device)
+>[    0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
+>[    0.471647] ACPI: Added _OSI(Processor Aggregator Device)
+>[    0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
+>[    0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
+>[    0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
+>[    0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
+>[    0.497683] ACPI: Interpreter enabled
+>[    0.499385] ACPI: (supports S0)
+>[    0.501151] ACPI: Using IOAPIC for interrupt routing
+>[    0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
+>[    0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
+>[    0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
+>[    0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
+>[    0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
+>[    0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
+>[    0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
+>[    0.526795] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+>[    0.529668] Call Trace:
+>[    0.530811]  ? dump_stack+0x5c/0x81
+>[    0.532240]  ? kmem_cache_destroy+0x1aa/0x1c0
+>[    0.533905]  ? acpi_os_delete_cache+0xa/0x10
+>[    0.535497]  ? acpi_ut_delete_caches+0x3f/0x7b
+>[    0.537237]  ? acpi_terminate+0xa/0x14
+>[    0.538701]  ? acpi_init+0x2af/0x34f
+>[    0.540008]  ? acpi_sleep_proc_init+0x27/0x27
+>[    0.541593]  ? do_one_initcall+0x4e/0x1a0
+>[    0.543008]  ? kernel_init_freeable+0x19e/0x21f
+>[    0.546202]  ? rest_init+0x80/0x80
+>[    0.547513]  ? kernel_init+0xa/0x100
+>[    0.548817]  ? ret_from_fork+0x25/0x30
+>[    0.550587] vgaarb: loaded
+>[    0.551716] EDAC MC: Ver: 3.0.0
+>[    0.553744] PCI: Probing PCI hardware
+>[    0.555038] PCI host bridge to bus 0000:00
+> ... Continue to boot and log is omitted ...
+
+I analyzed this memory leak in detail and found AcpiNsEvaluate() function
+only removes Info->ReturnObject in AE_CTRL_RETURN_VALUE case. But, when errors
+occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->ReturnObject is
+also not null. Therefore, this causes acpi operand memory leak.
+
+This cache leak causes a security threat because an old kernel (<= 4.9) shows
+memory locations of kernel functions in stack dump. Some malicious users
+could use this information to neutralize kernel ASLR.
+
+I made a patch to fix ACPI operand cache leak.
+
+Signed-off-by: Seunghun Han <kkamagui@gmail.com>
+
+Github-Location: https://github.com/acpica/acpica/pull/296/commits/37f2c716f2c6ab14c3ba557a539c3ee3224931b5
+
+---
+ source/components/namespace/nseval.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+Index: acpica-unix2-20180209/source/components/namespace/nseval.c
+===================================================================
+--- acpica-unix2-20180209.orig/source/components/namespace/nseval.c
++++ acpica-unix2-20180209/source/components/namespace/nseval.c
+@@ -320,6 +320,16 @@ AcpiNsEvaluate (
+ 
+         Status = AE_OK;
+     }
++    else if (ACPI_FAILURE(Status)) 
++    {
++        /* If ReturnObject exists, delete it */
++
++        if (Info->ReturnObject) 
++        {
++            AcpiUtRemoveReference (Info->ReturnObject);
++            Info->ReturnObject = NULL;
++        }
++    }
+ 
+     ACPI_DEBUG_PRINT ((ACPI_DB_NAMES,
+         "*** Completed evaluation of object %s ***\n",