apt-get upgrading security issue CVE-2016-1252

There is none. And there will very much likely none in the foreseeable future. This is due to the the nature of malware. Detailed explanation:
Computer Security Education - Whonix

Practically, you cannot.

If the attacker used this exploit and then also was smart enough to have another exploit against xen and used that, then yes, also other VMs could possibly be comprised

Nothing. That is being discussed here:
https://forums.whonix.org/t/document-recovery-procedure-after-compromise