PCIe 5.0+ Security Alert: Trio of Encryption Flaws Leads to Data Handling Vulnerabilities.
Three low-severity security flaws (CVE-2025-9612, CVE-2025-9613, CVE-2025-9614) were found in the PCIe Integrity and Data Encryption (IDE) protocol, affecting PCIe 5.0+ and 6.0 systems. The bugs could allow data corruption or privilege escalation if an attacker gains physical or low-level PCIe access. Intel and AMD products are impacted, and users are advised to apply firmware updates following PCI-SIG and CERT/CC guidance.
Three security holes have been found in the Peripheral Component Interconnect Express (PCIe) Integrity and Data Encryption (IDE) protocol specification. These holes could put a local attacker in a lot of danger.
The PCI Special Interest Group (PCI-SIG) says that the flaws affect PCIe Base Specification Revision 5.0 and later versions of the protocol mechanism that was added by the IDE Engineering Change Notice (ECN).
"Depending on how it is set up, this could put security at risk, including but not limited to one or more of the following with the affected PCIe component(s): The group said that "information disclosure," "escalation of privilege," or "denial of service" could happen.
PCIe is a common high-speed standard for connecting hardware peripherals and components inside computers and servers. These include sound cards, graphics cards, Wi-Fi and Ethernet adapters, and storage devices. PCIe IDE was first used in PCIe 6.0. It uses encryption and integrity protections to keep data transfers safe.
Intel employees Arie Aharon, Makaram Raghunandan, Scott Constable, and Shalini Sharma found three IDE vulnerabilities, which are listed below:
- CVE-2025-9612 (Forbidden IDE Reordering): If a receiving port doesn't check for integrity, it might let PCIe traffic be reordered, which would cause the receiver to process old data.
- CVE-2025-9613 (Completion Timeout Redirection) says that if a completion timeout isn't fully flushed, a receiver may accept wrong data when an attacker sends a packet with a matching tag.
- CVE-2025-9614 (Delayed Posted Redirection): If an IDE stream isn't fully flushed or re-keyed, the receiver may end up using old, wrong data packets.
PCI-SIG said that if someone successfully exploited the vulnerabilities mentioned above, it could hurt IDE's goals of keeping data private, safe, and secure. However, the attacks depend on getting physical or low-level access to the targeted computer's PCIe IDE interface, which makes them low-severity bugs (CVSS v3.1 score: 3.0/CVSS v4 score: 1.8).
It said, "All three vulnerabilities could let an attacker get into systems that use IDE and Trusted Domain Interface Security Protocol (TDISP) and break the isolation between trusted execution environments."
The CERT Coordination Center (CERT/CC) sent out an advisory on Tuesday telling manufacturers to follow the new PCIe 6.0 standard and use the Erratum #1 guidance in their IDE implementations. Intel and AMD have both put out their own warnings, saying that the problems affect the following products: -
- Intel Xeon 6 Processors with P-cores
- Intel Xeon 6700P-B/6500P-B series SoC with P-Cores.
- Processors in the AMD EPYC 9005 Series
- AMD EPYC Embedded 9005 Series Processors
CERT/CC said, "End users should use firmware updates from their system or component suppliers, especially in places that use IDE to keep sensitive data safe."
