A flaw was discovered in 9pfs. Jietao Xiao and his team found that when a local user in the guest tries to write an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances(exist an executable file owned by root, writable by others, has SUID/SGID bits), this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host's local user to elevate privileges on the host.
Created qemu tracking bugs for this issue:
Affects: fedora-all [bug 2223986]