CVE-2025-8860 – Qemu-kvm: uefi-vars: information disclosure vulnerability in uefi_vars_write callback

CVE ID : CVE-2025-8860

Published : Feb. 18, 2026, 8:49 p.m. | 11 minutes ago

Description : A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability.

Severity: 3.3 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…