The get_page_from_l3e function in arch/x86/mm.c in Xen allows local 32-bit PV guest OS administrators to gain host OS privileges via vectors related to L3 recursive pagetables.
Exploitability
AV:LAC:LPR:HUI:NScope
S:CImpact
C:HI:HA:H8.2/CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H