VENOM vulnerability can be exploited in targeted attacks against virtual machines to escape guest virtual instances and attack the host. The vulnerability lives in the virtual floppy disk controller component of QEMU, an open-source virtualization package. Experts have said that since the vulnerability would require an attacker to be authenticated to a virtual machine in order to carry out an exploit, serious risks are mitigated. The bug, for example, cannot be attacked at any kind of scale, and as of today, there has been only one publicly reported exploit.
Source: https://threatpost.com/oracle-patches-venom-vulnerability/112868/