ARM guests can send SGI (i.e. IPI) targeting a list of vCPUs using the MMIO register GICD_SGIR (GICv2) or System Register ICC_SGI1R (GICv3). However, the emulation code does not sanitize the list and will directly access an array without checking whether the array index is within bounds.
A guest may cause a hypervisor crash, resulting in a Denial of Service (DoS).
Xen versions 4.6 and onwards are affected. Xen versions 4.5 and earlier are not affected. Only ARM systems are affected. x86 systems are not affected.