When adding a passed-through PCI device to a domain after it was already started, IOMMU page tables may need constructing on the fly. For PV guests the decision whether a page ought to have a mapping is based on whether the page is writable, to prevent IOMMU access to things like page tables. Writablility of a page may, however, change at any time. Failure of the relevant code to respect this possible race may lead to IOMMU mappings of, in particular, page tables, allowing the guest to alter such page tables without Xen auditing the changes.
Malicious PV guests can escalate their privilege to that of the hypervisor.
All versions of Xen are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability. Only guests which are assigned a device after domain creation can exploit this vulnerability. Guests which are not assigned devices, or guests assigned devices at domain creation time, cannot exploit this vulnerability.