Doing a notify_write access with a whatever pci device leads to an OOB access in the device.jobs array, by crafting a fake thread_pool__job struct it is possible to obtain RIP hijacking, allowing a guest user to execute arbitrary code in the host. Index validation in virtio_device.ops.notify_vq should be done as in other COMMON read and write functions. I am willing to discuss details and provide an exploit in order to help patching and register the CVE.
