The new vuln glories in the name XSA-138, aka CVE-2015-5154 and means “An HVM guest which has access to an emulated IDE CDROM device (e.g. with a device with "devtype=cdrom", or the "cdrom" convenience alias, in the VBD configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process.”

Dubbed VENOM (Virtualized Environment Neglected Operations Manipulation), the zero-day flaw takes advantage of the “virtual floppy disk controller” and potentially allows attackers to escape out of the virtual machine and execute malicious code on its host.

PoC https://marc.info/?l=oss-security&m=143155206320935&w=2