device: 0.730
files: 0.677
vnc: 0.657
graphic: 0.588
permissions: 0.492
socket: 0.470
semantic: 0.438
network: 0.423
PID: 0.397
other: 0.355
boot: 0.305
debug: 0.286
performance: 0.136
KVM: 0.078

In windows host, tftp arbitrary file read vulnerability

https://github.com/qemu/qemu/blob/master/slirp/tftp.c#L343

  if (!strncmp(req_fname, "../", 3) ||
      req_fname[strlen(req_fname) - 1] == '/' ||
      strstr(req_fname, "/../")) {
      tftp_send_error(spt, 2, "Access violation", tp);
      return;
  }

There are file path check for not allowing escape tftp directory.
But, in windows, file path is separated by "\" backslash.
So, guest can read arbitrary file in Windows host.

This is fixed upstream by https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4