Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.3
QEMU UEFI Virtual Device Leaks Sensitive Information
CVE-2025-8860
Summary
A flaw in QEMU's UEFI virtual device can leak sensitive information from the guest operating system, compromising its security. This occurs when the guest writes to a certain register, causing the device to return leftover data from previous memory allocations. To protect your system, update to the latest version of QEMU or disable the UEFI virtual device if not needed.
Original title
A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a hea...
Original description
A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability.
nvd CVSS3.1
3.3
Vulnerability type
CWE-212
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026