User Reno Robert wrote a paper about VGA device emulation with bhyve, a vulnerability, and how he exploited the bug. Check out their full paper detailing exploitation strategies, sandbox escape, analysis in HardenedBSD, and more at the link below.

--[ 1 - Introduction

VM escape has become a popular topic of discussion over the last few years.
A good amount of research on this topic has been published for various
hypervisors like VMware, QEMU, VirtualBox, Xen and Hyper-V. Bhyve is a
hypervisor for FreeBSD supporting hardware-assisted virtualization. This
paper details the exploitation of two bugs in bhyve -
FreeBSD-SA-16:32.bhyve [1] (VGA emulation heap overflow) and CVE-2018-17160
[21] (Firmware Configuration device bss buffer overflow) and some generic
techniques which could be used for exploiting other bhyve bugs. Further,
the paper also discusses sandbox escapes using PCI device passthrough, and
Control-Flow Integrity bypasses in HardenedBSD 12-CURRENT

--[ 2 - Vulnerability in VGA emulation

FreeBSD disclosed a bug in VGA device emulation FreeBSD-SA-16:32.bhyve [1]
found by Ilja van Sprundel, which allows a guest to execute code in the
host. The bug affects virtual machines configured with 'fbuf' framebuffer
device. The below patch fixed the issue:

Tale of two hypervisor bugs – Escaping from FreeBSD bhyve: