Description
A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability.
Problem types
Improper Removal of Sensitive Information Before Storage or Transfer
Product status
10.0.0 (semver) before 10.1.0
Timeline
| 2025-08-11: | Reported to Red Hat. |
| 2025-08-11: | Made public. |
Credits
Red Hat would like to thank ZDI (zdi-disclosures@trendmicro.com) for reporting this issue.
References
access.redhat.com/security/cve/CVE-2025-8860
bugzilla.redhat.com/show_bug.cgi?id=2387588 (RHBZ#2387588)