Xen 4.5.3, 4.6.3, and 4.7.x allow local HVM guest OS administrators to overwrite hypervisor memory and consequently gain host OS privileges by leveraging mishandling of instruction pointer truncation during emulation.
https://security.gentoo.org/glsa/201611-09
http://xenbits.xen.org/xsa/xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
http://xenbits.xen.org/xsa/advisory-186.html
http://www.securitytracker.com/id/1036752