The following flaw was reported by SUSE Security:

One major security property of `spice-vdagentd` is that it only allows those clients access to most of the SPICE features (like clipboard, file transfer) that are currently in an active session according to systemd. It is possible for arbitrary local users (like *nobody*) to connect to
`spice-vdagentd` but these connections should not be able to interact with the host machine, because they don't belong to the active session.

There is a race condition between the point in time when a client performs the `connect()` call to establish a connection with `spice-vdagentd` and the time `spice-vdagentd` retrieves and checks the PID in its `agent_connect()` function. The described race condition is very hard to hit under normal circumstances, because the `agent_connect()` function in `spice-vdagentd` is very likely to run before an unrelated process gets reassigned the malicious PID in question. When combined with the file descriptor exhaustion security issue however, then this attack will become way more feasible.

An unprivileged local attacker inside a VM could use this flaw to become the "active agent" for `spice-vdagentd` for the graphical session of a legitimate local user. If successful then the attacker can access the host's clipboard contents or send malicious clipboard content to the host. The attacker can also retrieve file data from the host or send invalid screen resolution and display information to the host. If the victim's graphical session already runs a legitimate `spice-vdagent` then a successful attack will trigger an information leak protection logic in `vdagentd.c:874`. This has the effect of a denial-of-service, because neither the attacker nor the legitimate user will be able to use the SPICE features anymore.