diff --git a/usr.sbin/bhyve/pci_emul.c b/usr.sbin/bhyve/pci_emul.c
--- a/usr.sbin/bhyve/pci_emul.c
+++ b/usr.sbin/bhyve/pci_emul.c
@@ -46,6 +46,7 @@
 #include <strings.h>
 #include <assert.h>
 #include <stdbool.h>
+#include <sysexits.h>
 
 #include <machine/vmm.h>
 #include <machine/vmm_snapshot.h>
@@ -113,6 +114,11 @@
 #define	PCI_EMUL_ECFG_SIZE	(MAXBUSES * 1024 * 1024)    /* 1MB per bus */
 SYSRES_MEM(PCI_EMUL_ECFG_BASE, PCI_EMUL_ECFG_SIZE);
 
+/*
+ * OVMF always uses 0xC0000000 as base address for 32 bit PCI MMIO. Don't
+ * change this address without changing it in OVMF.
+ */
+#define PCI_EMUL_MEMBASE32 0xC0000000
 #define	PCI_EMUL_MEMLIMIT32	PCI_EMUL_ECFG_BASE
 
 static struct pci_devemu *pci_emul_finddev(const char *name);
@@ -1159,8 +1165,11 @@
 	u_int regs[4];
 	int bus, slot, func, error;
 
+	if (vm_get_lowmem_limit(ctx) > PCI_EMUL_MEMBASE32)
+		errx(EX_OSERR, "Invalid lowmem limit");
+
 	pci_emul_iobase = PCI_EMUL_IOBASE;
-	pci_emul_membase32 = vm_get_lowmem_limit(ctx);
+	pci_emul_membase32 = PCI_EMUL_MEMBASE32;
 
 	do_cpuid(0x80000008, regs);
 	cpu_maxphysaddr = 1ULL << (regs[0] & 0xff);
@@ -1274,8 +1283,8 @@
 	/*
 	 * The guest physical memory map looks like the following:
 	 * [0,		    lowmem)		guest system memory
-	 * [lowmem,	    lowmem_limit)	memory hole (may be absent)
-	 * [lowmem_limit,   0xE0000000)		PCI hole (32-bit BAR allocation)
+	 * [lowmem,	    0xC0000000)		memory hole (may be absent)
+	 * [0xC0000000,     0xE0000000)		PCI hole (32-bit BAR allocation)
 	 * [0xE0000000,	    0xF0000000)		PCI extended config window
 	 * [0xF0000000,	    4GB)		LAPIC, IOAPIC, HPET, firmware
 	 * [4GB,	    4GB + highmem)