Three security vulnerabilities have been identified in the Peripheral Component Interconnect Express Integrity and Data Encryption protocol specification, potentially exposing systems to significant risks if exploited. According to PCI Special Interest Group, the flaws affect PCIe Base Specification Revision 5.0 and later, specifically the protocol mechanisms introduced by the IDE Engineering Change Notice. The vulnerabilities could result in information disclosure, privilege escalation, or denial-of-service, depending on the implementation of affected PCIe components.
PCIe provides a high-speed interface for connecting hardware peripherals, including graphics cards, network adapters, storage devices, and sound cards, within computers and servers. The IDE protocol, introduced with PCIe 6.0, is designed to secure data transfers through encryption and integrity checks, aiming to protect sensitive information during communication between devices. Despite its security focus, the three newly discovered flaws demonstrate potential weaknesses that require attention from both hardware manufacturers and end users.
The vulnerabilities, discovered by Intel researchers Arie Aharon, Makaram Raghunandan, Scott Constable, and Shalini Sharma, include CVE-2025-9612, which allows reordering of PCIe traffic due to a missing integrity check, potentially causing the receiver to process stale data. CVE-2025-9613 involves incomplete flushing of a completion timeout, allowing a receiver to accept incorrect data when an attacker injects a packet with a matching tag. CVE-2025-9614 relates to delayed posted redirection, where incomplete flushing or re-keying of an IDE stream may lead to the consumption of outdated or incorrect data packets. PCI-SIG noted that exploiting these flaws could undermine the confidentiality, integrity, and overall security objectives of IDE, though successful attacks require physical or low-level access to the PCIe interface, making them low-severity issues with CVSS v3.1 scoring 3.0 and CVSS v4 scoring 1.8.
CERT Coordination Center released an advisory urging manufacturers to implement the updated PCIe 6.0 standard and apply guidance from Erratum #1 to their IDE implementations. Intel and AMD have confirmed the vulnerabilities affect Intel Xeon 6 Processors with P-cores, Xeon 6700P-B and 6500P-B series SoC, AMD EPYC 9005 Series, and AMD EPYC Embedded 9005 Series processors. End users are advised to apply firmware updates provided by component or system suppliers, especially in environments where IDE is relied upon to protect sensitive data. Prompt adoption of these updates is essential to ensure the isolation of trusted execution environments and prevent potential exploitation that could compromise both performance and security.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
