device: 0.730
instruction: 0.699
vnc: 0.657
graphic: 0.588
mistranslation: 0.531
socket: 0.470
semantic: 0.438
network: 0.423
other: 0.355
boot: 0.305
assembly: 0.114
KVM: 0.078

In windows host, tftp arbitrary file read vulnerability

https://github.com/qemu/qemu/blob/master/slirp/tftp.c#L343

  if (!strncmp(req_fname, "../", 3) ||
      req_fname[strlen(req_fname) - 1] == '/' ||
      strstr(req_fname, "/../")) {
      tftp_send_error(spt, 2, "Access violation", tp);
      return;
  }

There are file path check for not allowing escape tftp directory.
But, in windows, file path is separated by "\" backslash.
So, guest can read arbitrary file in Windows host.

This is fixed upstream by https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4