Could be a new source of undefined behavior and memory exploits, if threaded code is allowed to access collections that allocate memory without taking all the locks they should?
Inside the VM, yes. But not a security threat for the host.
The VM should be sandboxing the pages from each other, so those are potential security threats against targets on the same pages only. Not something to be too concerned about.