It's possible for DomU domain user to execute code in Dom0 context.
vulners.com/securityvulns/securityvulns:doc:18135
vulners.com/securityvulns/securityvulns:doc:20728