The shadow-paging feature in Xen through 4.8.x mismanages page references and consequently introduces a race condition, which allows guest OS users to obtain Xen privileges, aka XSA-219.
Where the HVM guest is explicitly configured to use shadow paging (eg
via the hap=0' xl domain configuration file parameter), changing to HAP (eg by setting
hap=1') will avoid exposing the vulnerability to
those guests. HAP is the default (in upstream Xen), where the
hardware supports it; so this mitigation is only applicable if HAP has
been disabled by configuration.
(This mitigation is not applicable to PV guests.)