The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling.
http://secunia.com/advisories/60923
http://secunia.com/advisories/62143
http://secunia.com/advisories/62144
http://www.debian.org/security/2014/dsa-3066