CVE-2025-8860 LOW

CVE-2025-8860: Qemu-kvm: uefi-vars: information disclosure vulnerability in uefi_vars_write callback

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Weakness CWE-212
Published February 18, 2026
Last update February 19, 2026

CVSS base score

3.3/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability.

Key dates

02Disclosure timeline

February 18, 2026 CVE published
February 19, 2026 Record updated