The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read.
http://lists.fedoraproject.org/pipermail/package-announce/2014-May/133345.html
http://rhn.redhat.com/errata/RHSA-2014-0743.html