From the Red Hat advisory:
* A vulnerability was discovered in spice in the server's protocol
handling. An authenticated attacker could send crafted messages to
the spice server causing a heap overflow leading to a crash or
possible code execution. (CVE-2016-9577)
* A vulnerability was discovered in spice in the server's protocol
handling. An attacker able to connect to the spice server could send
crafted messages which would cause the process to crash.
(CVE-2016-9578)
spice is a next-generation remote desktop protocol, aimed at virtual
machines.
focus is not just on display/input devices, but clipboard, audio,
video, opengl, smartcards, usb devices as well, no matter if the
virtual machine runs locally or on a remote host.
not everything is implemented yet, and I didn't enable all available
features yet.
Currently, spice is able to make qemu-kvm virtual machines very usable
for workstation guests, with good 2d video support, clipboard sharing,
full resolutions, auto-mouse-grab/ungrab, xinerama / multiple guest
monitors. Good drivers for windows 7 guests are available, as well as
linux Xorg drivers / agents.
Basically, kvm was already the best-performing VM solution (using
virtio drivers), but virtualbox, while slower, had better
desktop-integration support (still wins if you want opengl). Spice
fixes this, making the choice very easy.