Problem Description:
bhyve can be configured to emulate devices on a virtual USB
controller (XHCI), such as USB tablet devices. An insufficient
boundary validation in the USB code could lead to an out-of-bounds
write on the heap, with data controlled by the caller.
Impact:
A malicious, privileged software running in a guest VM can
exploit the vulnerability to achieve code execution on the host in
the bhyve userspace process, which typically runs as root. Note
that bhyve runs in a Capsicum sandbox, so malicious code is constrained
by the capabilities available to the bhyve process.