Izik Eidus found a bug in QEMU that allows priviledged guest user to force QEMU process on the host to issue free() and/or malloc() calls at addresses controlled by the guest user. The bug is in QXL/libspice code.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0633 https://rhn.redhat.com/errata/RHSA-2010-0633.html
This issue has been addressed in following products: Red Hat Enterprise Virtualization for RHEL-5 Via RHSA-2010:0622 https://rhn.redhat.com/errata/RHSA-2010-0622.html