Some CPUs can speculate past an ERET instruction and potentially perform speculative accesses to memory before processing the exception return. Since the register state is often controlled by lower privilege level (i.e guest kernel/userspace) at the point of the ERET, this could potentially be used as part of a side-channel attack. Upstream Advisory: https://xenbits.xen.org/xsa/advisory-312.html
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1791289]