x86 PV guest kernels may use hypercalls with INVLPG-like behavior to invalidate TLB entries even after changes to non-leaf page tables. Such changes to non-leaf page tables will, however, also render stale possible TLB entries created by Xen’s internal use of linear page tables to process guest requests like update-va-mapping. Invalidation of these TLB entries has been missing, allowing subsequent guest requests to change address mappings for one process to potentially modify memory meanwhile in use elsewhere.
Malicious x86 PV guest user mode may be able to escalate their privilege to that of the guest kernel.
All versions of Xen expose the vulnerability.
The vulnerability is exposed to x86 PV guests only. x86 HVM/PVH guests as well as ARM ones are not vulnerable.