There’s a critical bug in Xen, KVM, and QEMU that could allow an attacker to gain control of the underlying OS of the virtual system, and then access to all the guest OSes under that. The bug is in a virtual floppy disk controller that could allow exploitation of the guest or host OS, including Linux, Windows, Mac OS X, or others. VMWare, Microsoft Hyper-V, and Bochs hypervisors are *not* affected by this bug.
This is a serious issue, but to exploit it you need to have root or administrator access on the guest OS. If the guest OS has been compromised and the attacker has gained root/admin access, then they could exploit this. There are no indications at this time that there is exploit code in the wild, but that could change at any time.
Some news sites are calling this worse than the Heartbleed bug of a year ago, but that one was exploitable remotely without having to be logged in. This new bug is not remotely exploitable, so I would not say it’s that bad, but if you are running a system with Xen, KVM, or QEMU, you need to get it patched soon.
More information can be found here: