Description

A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability.

INFO

Published Date :

2026-02-18T20:49:06.186Z

Last Modified :

2026-02-19T14:35:51.033Z

Source :

fedora
AFFECTED PRODUCTS

The following products are affected by CVE-2025-8860 vulnerability.

Vendors Products
Redhat
  • Advanced Virtualization
  • Enterprise Linux
  • Openshift
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-8860.

URL Resource
https://access.redhat.com/security/cve/CVE-2025-8860 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2387588 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-8860 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-8860 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact