There is a race in spice-activex when a local attacker is able to create a named pipe with the expected name that is used for parameter passing (password, cert file) between spice-activex and spice client.
Also ImpersonateNamedPipeClient() function that allows server to impersonate security context of connected user could be used to gain privileges of the spice user.
This issue has been addressed in following products:
Red Hat Enterprise Virtualization Manager
Via RHSA-2010:0818 https://rhn.redhat.com/errata/RHSA-2010-0818.html