Major hardware vendors are investigating the potential impact of three recently discovered PCI Express (PCIe) vulnerabilities.
PCIe is the widely used high-speed hardware interface standard used to connect GPUs, SSDs, network cards, and other peripherals inside computers and servers. It also serves as a direct communication link between the CPU and these peripherals.
The flaws, discovered by Intel employees, affect the PCIe Integrity and Data Encryption (IDE) standard. The security holes are tracked as CVE-2025-9612, CVE-2025-9613, and CVE-2025-9614.
PCIe IDE, introduced in PCIe 6.0, is designed to secure data transfers through encryption and integrity protection.
“IDE uses AES-GCM encryption to protect confidentiality, integrity, and replay resistance for traffic between PCIe components. It operates between the transaction layer and the data link layer, providing protection close to the hardware against unauthorized modification of link traffic,” the CERT/CC at Carnegie Mellon University explained in an advisory.
“Three specification-level vulnerabilities can, under certain conditions, result in consumption of stale or incorrect data if an attacker is able to craft specific traffic patterns at the PCIe interface,” CERT/CC added.
Exploitation of the vulnerabilities can lead to information disclosure, privilege escalation, or denial of service (DoS).
However, the vulnerabilities have all been classified as ‘low severity’ as their exploitation requires physical or low-level access to the targeted computer’s PCIe IDE interface.
These types of vulnerabilities may typically be useful for security researchers specializing in hardware security, or sophisticated threat actors that may want to gain deep and stealthy access to a system in a highly targeted attack.
The PCI Special Interest Group (SIG), the consortium responsible for developing and maintaining PCIe, has published an advisory summarizing each of the vulnerabilities.
Hardware vendors that use PCIe have been provided an Engineering Change Notification (ECN) that addresses the vulnerabilities. System and component suppliers are expected to release firmware updates.
According to CERT/CC’s advisory, only Intel and AMD have confirmed that their products are affected. Nvidia, Dell, F5, and Keysight said they are not affected. However, there is a list of more than a dozen other vendors with an ‘unknown’ impact status, including Arm, Cisco, Google, HP, IBM, Lenovo, and Qualcomm.
Intel has published its own advisory to inform customers that some of its Xeon 6 and Xeon 6700P-B/6500P-B series processors are affected.
AMD has also published an advisory. The company says it’s still waiting for additional details on the vulnerabilities, but believes its EPYC 9005 series (including embedded) processors may be impacted.
Related: RMPocalypse: New Attack Breaks AMD Confidential Computing
Related: Chipmaker Patch Tuesday: Over 60 Vulnerabilities Patched by Intel
Related: New Attack Targets DDR5 Memory to Steal Keys From Intel and AMD TEEs
