Login Sign Up

CVE-2025-9613

6.5 MEDIUM

📋 TL;DR

A vulnerability in the PCI Express IDE specification allows tag aliasing where multiple outstanding Non-Posted Requests can share the same tag due to insufficient guidance on tag reuse after completion timeouts. This can cause completions to be delivered to the wrong security context, compromising data integrity and confidentiality. Affected systems include any hardware implementing PCIe IDE with vulnerable firmware or drivers.

💻 Affected Systems

Products:
  • Hardware implementing PCIe IDE specification
Versions: All versions prior to specification update
Operating Systems: All operating systems using affected PCIe hardware
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists at hardware/firmware level; specific implementations by different vendors may vary in exploitability.

📦 What is this software?

Pci Express Integrity And Data Encryption by Pcisig

View all CVEs affecting Pci Express Integrity And Data Encryption →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of encrypted PCIe traffic, allowing attackers to read or modify sensitive data in transit between system components, potentially leading to full system compromise.

🟠

Likely Case

Data corruption or leakage in specific PCIe transactions, potentially exposing sensitive information or causing system instability.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, though data integrity risks may persist in specific scenarios.

🌐 Internet-Facing: LOW - This is primarily an internal hardware/firmware vulnerability requiring local access or compromised internal components.
🏢 Internal Only: HIGH - Exploitation requires access to internal systems but could compromise sensitive internal data flows and system integrity.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Exploitation requires deep understanding of PCIe protocol and hardware-level access; likely requires specialized tools and knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Updated PCIe IDE specification

Vendor Advisory: https://pcisig.com/PCIeIDEStandardVulnerabilities

Restart Required: Yes

Instructions:

1. Check with hardware vendors for firmware/driver updates addressing PCIe IDE implementation. 2. Apply vendor-provided firmware updates. 3. Update system BIOS/UEFI if required. 4. Restart system to apply changes.

🔧 Temporary Workarounds

Disable PCIe IDE if not required

all

If PCIe Integrity and Data Encryption is not essential for your use case, disable it in system BIOS/UEFI settings.

Implement strict access controls

all

Limit physical and administrative access to systems with vulnerable PCIe hardware to reduce attack surface.

🧯 If You Can't Patch

  • Segment networks to isolate systems with vulnerable PCIe hardware from sensitive data flows
  • Implement enhanced monitoring for unusual PCIe transaction patterns or system instability

🔍 How to Verify

Check if Vulnerable:

Check system BIOS/UEFI settings for PCIe IDE status and consult hardware vendor documentation for specific vulnerability assessment tools.

Check Version:

lspci -vvv | grep -i ide (Linux) or system information tools specific to hardware vendor

Verify Fix Applied:

Verify firmware/driver versions against vendor advisories and confirm PCIe IDE implementation complies with updated specification.

📡 Detection & Monitoring

Log Indicators:

  • System logs showing PCIe transaction errors
  • Firmware/driver crash logs related to PCIe operations

Network Indicators:

  • Unusual patterns in encrypted PCIe traffic (requires specialized monitoring tools)

SIEM Query:

Search for system events related to PCIe driver failures or hardware errors in system logs

📊 Metadata

CVE ID: CVE-2025-9613
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score: 0.02% exploit probability (5.8th percentile)
Published: December 9, 2025
Last Updated: January 14, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON