The hypercall_create_continuation function in arch/arm/domain.c in Xen 4.4.x through 4.6.x allows local guest users to cause a denial of service (host crash) via a preemptible hypercall to the multicall interface.
Debian Linux Security Advisory 3414-1 - Multiple security issues have been found in the Xen virtualisation solution, which may result in denial of service or information disclosure.