Problem Description:
bhyve can be configured to emulate devices on a virtual USB
controller (XHCI), such as USB tablet devices. An insufficient
boundary validation in the USB code could lead to an out-of-bounds read
on the heap, which could potentially lead to an arbitrary write and
remote code execution.
Impact:
A malicious, privileged software running in a guest VM can exploit
the vulnerability to crash the hypervisor process or potentially achieve
code execution on the host in the bhyve userspace process, which
typically runs as root. Note that bhyve runs in a Capsicum sandbox, so
malicious code is constrained by the capabilities available to the bhyve
process.