Three security vulnerabilities have been disclosed in the Peripheral Component Interconnect Express (PCIe) Integrity and Data Encryption (IDE) protocol specification that could put a local attacker at serious risk.
According to the PCI Special Interest Group (PCI-SIG), the flaws affect the PCI Base Specification Revision 5.0 and later in the protocol mechanism introduced by an IDE Engineering Change Notice (ECN).
“This could potentially result in security risks, including, but not limited to, one or more of the following with the affected PCIe component(s), depending on the implementation: (i) information disclosure, (ii) elevation of privilege, or (iii) denial of service,” the consortium said.
PCIe is a widely used high-speed standard for connecting hardware peripherals and components inside computers and servers, including graphics cards, sound cards, Wi-Fi and Ethernet adapters, and storage devices. Introduced in PCIe 6.0, the PCIe IDE is designed to secure data transfers through encryption and integrity protection.
The three IDE vulnerabilities discovered by Intel employees Ari Aharon, Makram Raghunandan, Scott Constable, and Shalini Sharma are listed below –
- CVE-2025-9612 (Prohibited IDE reordering) – A missing integrity check on the receiver port could allow PCIE traffic to be re-ordered, causing the receiver to process stale data.
- CVE-2025-9613 (Completeness Timeout Redirect) – Incomplete flushing of the completion timeout can allow a receiver to accept incorrect data when an attacker injects a packet with a matching tag.
- CVE-2025-9614 (Delayed Post Redirection) – Incomplete flushing or rekeying of the IDE stream may result in the receiver consuming old, incorrect data packets.
PCI-SIG stated that successful exploitation of the above vulnerabilities could undermine the confidentiality, integrity, and security objectives of the IDE. However, the attacks depend on gaining physical or low-level access to the targeted computer’s PCIe IDE interface, making them low-severity bugs (CVSS v3.1 score: 3.0/CVSS v4 score: 1.8).
“All three vulnerabilities potentially expose systems implementing the IDE and the Trusted Domain Interface Security Protocol (TDISP) to an adversary who could breach the isolation between trusted execution environments,” it said.
In an advisory issued Tuesday, the CERT Coordination Center (CERT/CC) urged manufacturers to follow the updated PCIe 6.0 standard and apply the Erratum #1 guidance to their IDE implementations. Intel and AMD have published their own alerts, stating that the issues affect the following products –
- Intel Xeon 6 processor with P-core
- Intel Xeon 6700P-B/6500P-B series SoC with P-core.
- AMD EPYC 9005 Series Processor
- AMD EPYC Embedded 9005 Series Processor
It adds, “End users should apply firmware updates provided by their system or component suppliers, especially in environments that rely on IDEs to protect sensitive data.”
