TL;DR: If you can force emulation of the LGDT or LIDT instructions, you can replace the global memory segment descriptor table or interrupt descriptor table (resp.), since the instruction emulation code fails to check permissions properly.
It's worth nothing that very few people run HVM guests on xen if they can avoid it. The performance hit is considerable. Most xen setups I have seen are PV guests with pygrub bootloader. Host is debian amd64, guests are also debian amd64 or some variety of centos amd64.