A domain's primary array of vcpu pointers can be allocated by a
toolstack exactly once in the lifetime of a domain via the
XEN_DOMCTL_max_vcpus hypercall. This array is leaked on domain
teardown. This memory leak could -- over time -- exhaust the host's
memory.
A domain given partial management control via XEN_DOMCTL_max_vcpus
can mount a denial of service attack affecting the whole system. The
ability to also restart or create suitable domains is also required
to fully exploit the issue. Without this the leak is limited to a
small multiple of the maximum number of vcpus for the domain. The
maximum leak is 64kbytes per domain (re)boot (less on ARM).