CVE-2025-8860
Received Received - Intake
Information Disclosure in QEMU uefi-vars Due to Uninitialized Buffer

Publication date: 2026-02-18

Last updated on: 2026-02-18

Assigner: Fedora Project

Description
A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-8860
EUVD
EUVD-2025-207826
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qemu qemu *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-212 The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-8860 is an information disclosure vulnerability in the QEMU-KVM component related to UEFI variable handling.

When a guest writes to the UEFI_VARS_REG_BUFFER_SIZE register, the `uefi_vars_write` callback function allocates a heap buffer but does not zero out the memory. This leaves the buffer filled with residual data from previous allocations.

Later, when the guest reads from the UEFI_VARS_REG_PIO_BUFFER_TRANSFER register, the `uefi_vars_read` callback returns this leftover data, which may include sensitive metadata or other process memory contents.

This results in an information disclosure vulnerability, potentially exposing sensitive information from the host or other processes.

Impact Analysis

This vulnerability can lead to unintended information disclosure.

Specifically, sensitive metadata or other process memory from previous allocations may be exposed to a guest virtual machine running on QEMU-KVM with UEFI variable support.

An attacker with access to the guest could potentially read sensitive information from the host or other processes, which could be leveraged for further attacks or data breaches.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should update QEMU-KVM to a version that includes the upstream fix which ensures proper memory initialization during buffer allocation.

This fix prevents the information disclosure by zeroing out the heap buffer before use, eliminating residual data exposure.

Ensure your Linux operating system running QEMU-KVM with UEFI variable support is patched accordingly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8860. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart