CVE-2025-8860

18.02.2026, 21:16

A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.3 LOW	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
fedora	CNA	3.3 LOW	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

qemu

bookworm	1:7.2+dfsg-7+deb12u18 not-affected
bookworm (security)	1:7.2+dfsg-7+deb12u15 fixed
bullseye	1:5.2+dfsg-11+deb11u3 not-affected
bullseye (security)	1:5.2+dfsg-11+deb11u5 fixed
forky	1:10.2.0+ds-2 fixed
sid	1:10.2.1+ds-1 fixed
trixie	1:10.0.7+ds-0+deb13u1 no-dsa
trixie (security)	vulnerable

Common Weakness Enumeration

CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

References

https://access.redhat.com/security/cve/CVE-2025-8860

https://bugzilla.redhat.com/show_bug.cgi?id=2387588