Keep in mind that the pcnet NIC is not used by default in most QEMU, KVM, or Xen deployments.

So it's mostly a problem in scenarios where untrusted users may add pcnet NICs to their VMs. Even then, remember that additional layers of security are available. KVM is typically deployed with unprivileged QEMU processes, locked down with SELinux (more details: https://danwalsh.livejournal.com/71489.html).

Is this going to cause another AWS patchathon?

I think, that only HVM instances with non-network optimized interfaces might be vulnerable.

Does this affect other products like virtualbox, vmware etc?

Didn't the VENOM qemu floppy driver bug hit a ton of products as well?

> Both the traditional "qemu-xen" or upstream qemu device models are potentially vulnerable.

VENOM was particularly nasty because, due to a bug/oversight, floppy emulation was always enabled in pretty much everything that used Qemu.

This only affects one specific network driver, which to my knowledge, is nowhere used as default.