Acceleration support for the "REP MOVS" instruction, when the first iteration accesses memory mapped I/O emulated internally in the hypervisor, incorrectly assumes that the whole range accessed is handled by the same hypervisor sub-component.
A buggy or malicious HVM guest can crash the host.
Xen versions from at least 3.2.x onwards are vulnerable on x86 systems. Older versions have not been inspected. ARM systems are not vulnerable.