Skip to main content
CVE Vulnerability Database

CVE-2025-9613: PCIe IDE Information Disclosure Flaw

CVE-2025-9613 is an information disclosure vulnerability in PCI Express Integrity and Data Encryption that enables tag aliasing attacks, delivering completions to wrong security contexts. This analysis covers technical details, impact, and mitigation.

Published:

CVE-2025-9613 Overview

CVE-2025-9613 affects the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification maintained by PCI-SIG. The specification provides insufficient guidance on tag reuse after completion timeouts. This gap permits multiple outstanding Non-Posted Requests to share the same tag identifier. When tag aliasing occurs, completions may be routed to the wrong security context. The result is potential compromise of data integrity and confidentiality across isolated PCIe streams.

Critical Impact

Tag aliasing in PCIe IDE can deliver completion transactions to the wrong security context, breaking the confidentiality and integrity guarantees the IDE specification is designed to enforce between trusted device streams.

Affected Products

  • PCI-SIG PCI Express Integrity and Data Encryption (IDE) specification
  • Implementations of the PCIe IDE standard in root complexes and endpoint devices
  • Systems relying on IDE stream isolation for confidential computing workloads

Discovery Timeline

  • 2025-12-09 - CVE-2025-9613 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9613

Vulnerability Analysis

PCIe IDE protects Transaction Layer Packets (TLPs) between two endpoints using cryptographic integrity and encryption. Non-Posted Requests such as memory reads require matching completions returned by the responder. Each request carries a tag that binds the completion back to the originator's outstanding request context. The specification does not clearly define how a requester should treat a tag after a completion timeout expires. A requester may reuse a timed-out tag while the original request is still in flight downstream. When the delayed completion eventually arrives, the receiving logic cannot distinguish between the stale response and the response to the new request bearing the same tag.

Root Cause

The root cause is a specification-level gap classified under [NVD-CWE-noinfo]. The IDE specification lacks binding rules that tie a tag exclusively to a single outstanding request until the transaction fully retires. Without a mandatory quiescence or invalidation step after a completion timeout, implementations may legally reuse tags that remain live on the fabric.

Attack Vector

Exploitation requires an attacker able to influence PCIe traffic timing on the network-reachable fabric so that completion timeouts trigger predictably. The attacker does not need privileges or user interaction. By inducing timeouts on targeted Non-Posted Requests, the attacker can cause completions belonging to one IDE-protected security context to be consumed by another. This produces cross-context data leakage or corruption of data delivered to trusted device streams. No public proof-of-concept or exploitation activity is reported, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-9613

Indicators of Compromise

  • Elevated PCIe completion timeout counters on IDE-protected streams, particularly on links carrying confidential compute workloads
  • Unexpected IDE integrity check failures or MAC verification errors logged by the root complex
  • Anomalous rates of tag reuse events reported by PCIe analyzer captures on affected links

Detection Strategies

  • Instrument PCIe root complex telemetry to correlate completion timeouts with subsequent tag reuse on the same requester ID
  • Review vendor firmware and platform logs for IDE stream errors, replay counter anomalies, or unexpected key rotation events
  • Use hardware PCIe protocol analyzers in lab validation to confirm that endpoint implementations quiesce tags after timeouts

Monitoring Recommendations

  • Track IDE stream error counters exposed through platform management interfaces and alert on sustained increases
  • Baseline expected completion timeout rates per device class and flag deviations for investigation
  • Monitor vendor advisories from silicon and platform suppliers for firmware updates addressing IDE tag management

How to Mitigate CVE-2025-9613

Immediate Actions Required

  • Inventory systems that rely on PCIe IDE for confidential computing, GPU attestation, or trusted device isolation
  • Contact silicon and platform vendors to confirm whether their IDE implementations are affected and request remediation timelines
  • Restrict physical and administrative access to systems exposing IDE-protected PCIe links until vendor updates are applied

Patch Information

PCI-SIG has published guidance on the affected specification behavior. Refer to the PCI-SIG Vulnerabilities Overview for the authoritative advisory and to the PCI-SIG Specifications Document for updated specification language. Remediation depends on firmware and hardware updates from device and platform vendors that implement the revised tag management rules.

Workarounds

  • Disable PCIe IDE where the feature is not required for the workload, reverting to alternative isolation controls
  • Reduce completion timeout windows only where vendor guidance confirms it does not increase aliasing risk
  • Segregate sensitive workloads onto platforms with confirmed remediated IDE implementations

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.