CISA details PCIe IDE specification vulnerabilities

PCI Express (PCIe) Integrity and Data Encryption (IDE), the link-layer encryption feature introduced with PCIe 6.0, contains specification-level flaws that can allow an attacker with local access to influence the data a receiver consumes and thereby undermine the integrity of the protected link.

Immutable Deployment Environment (IDE) implements AES-GCM to provide confidentiality, integrity, and replay resistance for traffic between PCIe components and operates between the transaction layer and the data link layer. The specification-level issues are catalogued as CVE-2025-9612, CVE-2025-9613, and CVE-2025-9614: CVE-2025-9612 is a missing integrity check on a receiving port that may permit re-ordering of PCIe traffic and lead the receiver to process stale data; CVE-2025-9613 involves incomplete flushing of a completion timeout that may permit a receiver to accept incorrect data when an attacker injects a packet with a matching tag; CVE-2025-9614 concerns incomplete flushing or re-keying of an IDE stream that may result in the receiver consuming stale incorrect data packets. The PCI-SIG has published a Draft Engineering Change Notice titled “IDE TLP Reordering Enhancement” to Base Specification Rev 7.0; that D-ECN will be included in upcoming Public Cloud Interconnect (PCI) specifications Base 6.5 and 7.1 and can be used in current Base 5.x systems through standard compliance procedures, and hardware and firmware vendors that support PCIe 5.0 IDE are advised to apply the corrections and updated test procedures to ensure compliance.

An attacker with physical or low-level access to the PCIe IDE interface may be able to craft packets that cause the receiver to accept stale or corrupted data, affecting the integrity of the protected link.

The PCIe 6.0 IDE Erratum provides corrective guidance, and firmware and hardware updates are expected to address these concerns. Manufacturers should follow the updated PCIe 6.0 standard and apply the Erratum #1 guidance to their IDE implementations, and end users should apply firmware updates provided by their system or component suppliers, especially in environments that rely on IDE to protect sensitive data.

Because IDE functions at the link layer, operating systems and applications may not detect these conditions directly; timely firmware distribution through normal supply-chain channels is recommended, and vendors supporting PCIe 5.0 IDE should incorporate the updated test procedures and apply the D-ECN corrections to their implementations to achieve compliance.

Acronis renews partnership with Manchester City

Cohesity integrates Google Threat Intelligence into Data Cloud

Cyberhaven Labs releases 2026 AI adoption and risk report