CVE-2025-8860

Name of the Vulnerable Software and Affected Versions qemu (affected versions not specified)

Description The vulnerability involves an information disclosure issue in QEMU. A heap buffer is allocated without being zeroed, potentially exposing residual data from prior allocations. This data can be read back to the guest when accessing register UEFI VARS REG PIO BUFFER TRANSFER via the uefi vars read callback function, leading to the disclosure of sensitive process memory or metadata. The issue occurs when a guest writes to register UEFI VARS REG BUFFER SIZE, triggering the uefi vars write callback.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.