Linux kernel when returning from an iret assumes that %ds segment is safe and uses it to reference various per-cpu related fields. Unfortunately the user can modify the LDT and provide a NULL one. Whenever an iret is called we end up in xen_iret and try to use the %ds segment and cause an general protection fault.
Malicious or buggy unprivileged user space can cause the guest kernel to crash, or permit a privilege escalation within the guest, or operate erroneously.
All 32bit PVOPS versions of Linux are affected, since the introduction of Xen PVOPS support in 2.6.23. Classic-Xen kernels are not vulnerable.