The loadmultiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mhloadendaddr value greater than mhbssend_addr, which triggers an out-of-bounds read or write memory access.