Xen 3.x, possibly before 3.1.2, when running on IA64 systems, does not check the RID value for mov_to_rr, which allows a VTi domain to read memory of other domains.

More... (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6207)