The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
The qemu-kvm server is vulnerable to the Venom remote code execution attack.
The remote host is running a version of qemu-kvm which is vulnerable to an out-of-bounds memory access flaw, which can cause a crash or execution of arbitrary code on the host.
Upgrade to qemu-kvm (or qemu-kvm-rhev) 0.12.1.2-2.448.