CVE-2025-8860Improper Removal of Sensitive Information Before Storage or Transfer in Qemu

CWE-212Improper Removal of Sensitive Information Before Storage or Transfer7 documents6 sources
Severity
3.3LOWNVD
EPSS
0.0%
top 99.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
QemuDebian Qemu
Timeline
PublishedFeb 18

Description

A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously alloc

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages2 packages

debiandebian/qemu< qemu 1:10.0.3+ds-4 (forky)
Debianqemu/qemu< 1:10.0.3+ds-4+1

🔴Vulnerability Details

3
GHSA
GHSA-xrj7-v4x4-74hr: A flaw was found in QEMU in the uefi-vars virtual device2026-02-18
OSV
CVE-2025-8860: A flaw was found in QEMU in the uefi-vars virtual device2026-02-18
OSV
CVE-2025-8860: When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the2025-08-20

📋Vendor Advisories

2
Red Hat
qemu-kvm: uefi-vars: information disclosure vulnerability in uefi_vars_write callback2025-08-11
Debian
CVE-2025-8860: qemu - A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes ...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-8860 Impact, Exploitability, and Mitigation Steps | Wiz