Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the range 32-bit code would be able to set them to.
When processing of hypercalls takes a considerable amount of time, the hypervisor may choose to invoke a hypercall continuation. Doing so involves putting (perhaps updated) hypercall arguments in respective registers. For guests not running in 64-bit mode this further involves a certain amount of translation of the values.
Unfortunately internal sanity checking of these translated values assumes high halves of registers to always be clear when invoking a hypercall. When this is found not to be the case, it triggers a consistency check in the hypervisor and causes a crash.
A HVM or PVH guest can cause a hypervisor crash, causing a Denial of Service (DoS) of the entire host.
All Xen versions from at least 3.2 onwards are vulnerable. Earlier versions have not been inspected.
Only x86 systems are vulnerable. Arm systems are not vulnerable.
Only HVM or PVH guests can leverage the vulnerability. PV guests cannot leverage the vulnerability.