Linux has a
failsafe callback, invoked by Xen under certain conditions. Normally in this failsafe callback, error_entry is paired with error_exit; and error_entry uses %ebx to communicate to error_exit whether to use the user or kernel return path.
Unfortunately, on 64-bit PV Xen on x86, error_exit is called without error_entry being called first, leaving %ebx with an invalid value.
A rogue user-space program could crash a guest kernel. Privilege escalation cannot be ruled out.
Only 64-bit x86 PV Linux systems are vulnerable. All versions of Linux are vulnerable.