Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors.
Debian Linux Security Advisory 3519-1 - Multiple security issues have been found in the Xen virtualisation solution, which may result in denial of service or information disclosure.