CVE-2016-3157, XSA-171: I/O port access privilege escalation in x86-64 Linux IRET and POPF do not modify EFLAGS.IOPL when executed by code at a privilege level other than zero. Since PV Xen guests run at privilege level 3 , to compensate for this the context switching of EFLAGS.IOPL requires the guest to make use of a dedicated hypercall . The invocation of this hypercall, while present in the 32-bit context switch path, is missing from its 64-bit counterpart.