The ELF parser used by the Xen tools to read domains' kernels and construct domains has multiple integer overflows, pointer dereferences based on calculations from unchecked input values, and other problems. This corresponds to the following CVEs: CVE-2013-2194 XEN XSA-55 integer overflows CVE-2013-2195 XEN XSA-55 pointer dereferences CVE-2013-2196 XEN XSA-55 other problems
A malicious PV domain administrator who can specify their own kernel can escalate their privilege to that of the domain construction tools (i.e., normally, to control of the host). Additionally a malicious HVM domain administrator who is able to supply their own firmware ("hvmloader") can do likewise; however we think this would be very unusual and it is unlikely that such configurations exist in production systems.
All Xen versions are affected. Installations which only allow the use of trustworthy kernels for PV domains are not affected.