qemu SCSI REPORT LUNS buffer overflow
qemu contains a possible buffer overflow in the SCSI code that implements the REPORT LUNS command. The buffer can be overflowed by creating a SCSI controller with more than 256 attached devices (such as disks) and sending a REPORT LUNS command with a short transfer buffer (less than 2056 bytes).
Xen systems do not use the qemu SCSI code by default.
buffer overflow (not used by default)
On Xen systems where the devicemodelargs (or equivalent) parameters have been used to configure a SCSI controller for a guest, with more than 256 devices, a malicious guest might be able to escalate its privilege to that of the qemu process in the host (typically root).