{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/404544#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nPCI Express Integrity and Data Encryption (PCIe IDE), introduced in the PCIe 6.0 standard, provides link-level encryption and integrity protection for data transferred across PCIe connections. Several issues were identified in the IDE specification that could allow an attacker with local access to influence data consumed on the link. The PCIe 6.0 IDE Erratum provides corrective guidance, and firmware and hardware updates are expected to address these concerns.\r\n\r\n### Description\r\nIDE uses AES-GCM encryption to protect confidentiality, integrity, and replay resistance for traffic between PCIe components. It operates between the transaction layer and the data link layer, providing protection close to the hardware against unauthorized modification of link traffic.\r\n\r\nThree specification-level vulnerabilities can, under certain conditions, result in consumption of stale or incorrect data if an attacker is able to craft specific traffic patterns at the PCIe interface:\r\n\r\n1. **CVE-2025-9612** – A missing integrity check on a receiving port may allow re-ordering of PCIe traffic, leading the receiver to process stale data.\r\n2. **CVE-2025-9613** – Incomplete flushing of a completion timeout may allow a receiver to accept incorrect data when an attacker injects a packet with a matching tag.\r\n3. **CVE-2025-9614** – Incomplete flushing or re-keying of an IDE stream may result in the receiver consuming stale incorrect data packets.\r\n\r\nThe PCI-SIG has issued a Draft Engineering Change Notice (D-ECN) titled “IDE TLP Reordering Enhancement” to the [Base Specification Rev 7.0](https://pcisig.com/PCI%20Express/ECN/Base/IntegrityandDataEncryption_A). The D-ECN feature will be included in upcoming PCI specifications (Base 6.5 and 7.1) and can also be used in current Base 5.x systems through standard compliance procedures. Hardware and firmware vendors that support PCIe 5.0 IDE should apply these corrections and incorporate the updated test procedures to ensure their implementations are compliant. Because IDE operates at the link layer, operating systems and applications may not detect these conditions directly. Timely firmware distribution through normal supply-chain channels is recommended.\r\n\r\n### Impact\r\nAn attacker with physical or low-level access to the PCIe IDE interface may be able to craft packets that cause the receiver to accept stale or corrupted data, affecting the integrity of the protected link.\r\n\r\n### Solution\r\nManufacturers should follow the updated PCIe 6.0 standard and apply the Erratum #1 guidance to their IDE implementations. End users should apply firmware updates provided by their system or component suppliers, especially in environments that rely on IDE to protect sensitive data.\r\n\r\n### Acknowledgements\r\nThese issues were reported by Arie Aharon, Makaram Raghunandan, Scott Constable, and Shalini Sharma to follow proper disclosure procedure. Coordination support was actively provided by Intel and PCI-SIG members. This document was prepared by Vijay Sarvepalli.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01409.html","title":"Vendor statment from Intel"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/404544"},{"url":"https://pcisig.com/PCIeIDEStandardVulnerabilities","summary":"https://pcisig.com/PCIeIDEStandardVulnerabilities"},{"url":"https://pcisig.com/PCI%20Express/ECN/Base/IntegrityandDataEncryption_A","summary":"https://pcisig.com/PCI%20Express/ECN/Base/IntegrityandDataEncryption_A"},{"url":"https://pcisig.com/specifications","summary":"https://pcisig.com/specifications"},{"url":"https://pcisig.com/sites/default/files/files/PCIe%20Security%20Webinar_Aug%202020_PDF.pdf","summary":"https://pcisig.com/sites/default/files/files/PCIe%20Security%20Webinar_Aug%202020_PDF.pdf"},{"url":"https://pcisig.com/blog/integrity-and-data-encryption-ide-and-io-security-updates","summary":"https://pcisig.com/blog/integrity-and-data-encryption-ide-and-io-security-updates"},{"url":"https://semiengineering.com/new-age-solution-for-data-integrity-and-authenticity/","summary":"https://semiengineering.com/new-age-solution-for-data-integrity-and-authenticity/"}],"title":"Vulnerabilities identified in PCIe  Integrity and Data Encryption (IDE) protocol specification","tracking":{"current_release_date":"2025-12-09T19:16:40+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#404544","initial_release_date":"2025-12-09 18:09:16.502655+00:00","revision_history":[{"date":"2025-12-09T19:16:40+00:00","number":"1.20251209191640.2","summary":"Released on 2025-12-09T19:16:40+00:00"}],"status":"final","version":"1.20251209191640.2"}},"vulnerabilities":[{"title":"A vulnerability was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on tag reuse after completion timeouts may allow multiple outstanding Non-Posted Requests to share the same tag.","notes":[{"category":"summary","text":"A vulnerability was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on tag reuse after completion timeouts may allow multiple outstanding Non-Posted Requests to share the same tag. This tag aliasing condition can result in completions being delivered to the wrong security context, potentially compromising data integrity and confidentiality."}],"cve":"CVE-2025-9613","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#404544"}],"product_status":{"known_affected":["CSAFPID-c4806d80-390f-11f1-8422-122e2785dc9f","CSAFPID-c480ee36-390f-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-c480014c-390f-11f1-8422-122e2785dc9f","CSAFPID-c4803c34-390f-11f1-8422-122e2785dc9f","CSAFPID-c480a4c6-390f-11f1-8422-122e2785dc9f","CSAFPID-c480c8ca-390f-11f1-8422-122e2785dc9f"]}},{"title":"An issue was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on re-keying and stream flushing during device rebinding may allow stale write transactions from a previous security context to be processed in a new one.","notes":[{"category":"summary","text":"An issue was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on re-keying and stream flushing during device rebinding may allow stale write transactions from a previous security context to be processed in a new one. This can lead to unintended data access across trusted domains, compromising confidentiality and integrity."}],"cve":"CVE-2025-9614","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#404544"}],"product_status":{"known_affected":["CSAFPID-c481f416-390f-11f1-8422-122e2785dc9f","CSAFPID-c482a2d0-390f-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-c4815c36-390f-11f1-8422-122e2785dc9f","CSAFPID-c481a2ea-390f-11f1-8422-122e2785dc9f","CSAFPID-c48235ca-390f-11f1-8422-122e2785dc9f","CSAFPID-c4826aa4-390f-11f1-8422-122e2785dc9f"]}},{"title":"An issue was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on Transaction Layer Packet (TLP) ordering and tag uniqueness may allow encrypted packets to be replayed or reordered without detection.","notes":[{"category":"summary","text":"An issue was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on Transaction Layer Packet (TLP) ordering and tag uniqueness may allow encrypted packets to be replayed or reordered without detection. This can enable local or physical attackers on the PCIe bus to violate data integrity protections."}],"cve":"CVE-2025-9612","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#404544"}],"product_status":{"known_affected":["CSAFPID-c4835522-390f-11f1-8422-122e2785dc9f","CSAFPID-c483ff54-390f-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-c4830586-390f-11f1-8422-122e2785dc9f","CSAFPID-c4832d54-390f-11f1-8422-122e2785dc9f","CSAFPID-c4839f5a-390f-11f1-8422-122e2785dc9f","CSAFPID-c483d290-390f-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"NVIDIA","product":{"name":"NVIDIA Products","product_id":"CSAFPID-c480014c-390f-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Keysight Technologies","product":{"name":"Keysight Technologies Products","product_id":"CSAFPID-c4803c34-390f-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"AMD","product":{"name":"AMD Products","product_id":"CSAFPID-c4806d80-390f-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Dell","product":{"name":"Dell Products","product_id":"CSAFPID-c480a4c6-390f-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"F5 Networks","product":{"name":"F5 Networks Products","product_id":"CSAFPID-c480c8ca-390f-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-c480ee36-390f-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NVIDIA","product":{"name":"NVIDIA Products","product_id":"CSAFPID-c4815c36-390f-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Keysight Technologies","product":{"name":"Keysight Technologies Products","product_id":"CSAFPID-c481a2ea-390f-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"AMD","product":{"name":"AMD Products","product_id":"CSAFPID-c481f416-390f-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Dell","product":{"name":"Dell Products","product_id":"CSAFPID-c48235ca-390f-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"F5 Networks","product":{"name":"F5 Networks Products","product_id":"CSAFPID-c4826aa4-390f-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-c482a2d0-390f-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NVIDIA","product":{"name":"NVIDIA Products","product_id":"CSAFPID-c4830586-390f-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Keysight Technologies","product":{"name":"Keysight Technologies Products","product_id":"CSAFPID-c4832d54-390f-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"AMD","product":{"name":"AMD Products","product_id":"CSAFPID-c4835522-390f-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Dell","product":{"name":"Dell Products","product_id":"CSAFPID-c4839f5a-390f-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"F5 Networks","product":{"name":"F5 Networks Products","product_id":"CSAFPID-c483d290-390f-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-c483ff54-390f-11f1-8422-122e2785dc9f"}}]}}