CVE-2025-8860

LOW SEVERITY

CVSS Score & Metrics

Base Score

3.3 / 10

Vector String

                                        CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N                                    

Vulnerability Description

A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability.

Vulnerability Details

Published Date

February 18, 2026

Last Modified

February 19, 2026

CWE ID

CWE-212

Source

NVD

External References

https://access.redhat.com/security/cve/CVE-2025-8860
https://bugzilla.redhat.com/show_bug.cgi?id=2387588

CVE-2025-8860

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment