Izik Eidus found a bug in QEMU that allows priviledged guest user to touch arbitrary memory in the hosting QEMU process. The bug is in QXL/libspice code. Guest and host share region of memory and use it to communicate with each other. Malicious user can use the lack of validation of pointers embedded into data structures in this memory area to touch host's abitrary memory location and/or make the hosting QEMU process crash by dereferencing invalid pointer.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0633 https://rhn.redhat.com/errata/RHSA-2010-0633.html
This issue has been addressed in following products: Red Hat Enterprise Virtualization for RHEL-5 Via RHSA-2010:0622 https://rhn.redhat.com/errata/RHSA-2010-0622.html