- Three security flaws have been found in the PCIe Integrity and Data Encryption (IDE) protocol, starting with PCIe 5.0.
- The flaws could lead to information leaks, privilege escalation, or denial of service if exploited.
- Successful attacks require physical or low-level access to the PCIe IDE interface, making the vulnerabilities low severity.
- Manufacturers are advised to update firmware following the PCIe 6.0 standard and Erratum #1 guidance to fix these issues.
- The affected products include Intel Xeon processors with P-cores and AMD EPYC 9005 series processors.
Three security vulnerabilities have been identified in the Peripheral Component Interconnect Express (PCIe) Integrity and Data Encryption (IDE) protocol, impacting the PCIe Base Specification Revision 5.0 and newer. The PCI Special Interest Group (PCI-SIG) confirmed these flaws could expose local attackers to significant risks in devices using this protocol, which was introduced to protect data via encryption and integrity measures as part of PCIe 6.0. For more information on the IDE protocol, see IDE specification.
PCIe is a high-speed interface standard widely used to connect hardware components such as graphics cards, Wi-Fi, Ethernet adapters, and storage devices within computing systems. The IDE mechanism aims to enhance security for data transmissions between these components. According to the PCI-SIG statement, exploitation of these vulnerabilities could result in information disclosure, higher privileges for attackers, or denial of service conditions.
The three identified vulnerabilities, discovered by Intel researchers Arie Aharon, Makaram Raghunandan, Scott Constable, and Shalini Sharma, include the following:
CVE-2025-9612: Forbidden IDE Reordering — a missing integrity check that may enable reordering of PCIe traffic, causing the receiver to process outdated data.
CVE-2025-9613: Completion Timeout Redirection — incomplete flushing of completion timeout could allow acceptance of incorrect data through injected packets with matching tags.
- Advertisement -CVE-2025-9614: Delayed Posted Redirection — incomplete flushing or re-keying of an IDE stream might cause consumption of stale or incorrect data packets.
PCI-SIG noted that exploiting these weaknesses threatens the confidentiality, integrity, and security goals of IDE. However, attacks require physical or low-level access to the target device’s PCIe IDE interface, which limits severity ratings to a CVSS v3.1 score of 3.0 and a CVSS v4 score of 1.8. Furthermore, the vulnerabilities may allow attackers to compromise isolation between trusted execution environments, affecting systems utilizing IDE and the Trusted Domain Interface Security Protocol (TDISP).
The CERT Coordination Center (CERT/CC) issued an advisory recommending that manufacturers adhere to the updated PCIe 6.0 requirement and apply Erratum #1 guidelines to their IDE implementations. Both Intel and AMD have released security alerts indicating affected hardware:
- Intel Xeon 6 Processors with P-cores
- Intel Xeon 6700P-B/6500P-B series SoC with P-Cores
- AMD EPYC 9005 Series Processors
- AMD EPYC Embedded 9005 Series Processors
Users should install firmware updates from system or component manufacturers, especially when operating environments depend on IDE for protecting sensitive information. For additional details, see the CERT advisory, Intel’s alert, and AMD’s bulletin.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
