The disclosed vulnerabilities affect the PCIe Integrity and Data Encryption (IDE) protocol mechanism introduced in PCIe Base Specification Revision 5.0 and later, specifically related to the IDE Engineering Change Notice (ECN). PCIe is a critical high-speed interface standard used to connect internal hardware components such as GPUs, network adapters, and storage devices. The IDE protocol was introduced to secure data transfers by encrypting and ensuring data integrity. The three identified vulnerabilities are: CVE-2025-9612 (Forbidden IDE Reordering), where a missing integrity check on the receiving port allows reordering of PCIe traffic, causing the receiver to process stale data; CVE-2025-9613 (Completion Timeout Redirection), where incomplete flushing of a completion timeout enables acceptance of incorrect data via injected packets with matching tags; and CVE-2025-9614 (Delayed Posted Redirection), where incomplete flushing or re-keying of an IDE stream results in consumption of stale or incorrect data packets. These flaws can lead to information disclosure, privilege escalation, or denial of service by undermining the confidentiality and integrity of PCIe data streams. Exploitation requires local or physical access to the PCIe IDE interface, making remote attacks infeasible. The vulnerabilities impact Intel Xeon 6 Processors with P-cores, Intel Xeon 6700P-B/6500P-B series SoCs, and AMD EPYC 9005 and EPYC Embedded 9005 series processors. The PCI Special Interest Group (PCI-SIG) and CERT Coordination Center recommend adopting the updated PCIe 6.0 standard and Erratum #1 guidance to mitigate these issues. Firmware updates from hardware vendors are critical to address these vulnerabilities. The attack surface is limited to environments where an attacker can breach isolation between trusted execution environments and gain low-level access to PCIe IDE interfaces.

For European organizations, the vulnerabilities pose a moderate risk primarily in environments utilizing PCIe 5.0+ hardware with IDE implementations, such as data centers, cloud providers, financial institutions, and research facilities relying on high-performance computing. Successful exploitation could lead to unauthorized disclosure of sensitive data, privilege escalation within trusted execution environments, or denial of service, potentially disrupting critical operations. The requirement for local or physical access limits the threat to insider attacks, supply chain compromises, or scenarios where attackers gain physical control of hardware. However, given the widespread deployment of affected Intel and AMD processors in enterprise servers and workstations across Europe, the vulnerabilities could impact confidentiality and integrity of sensitive workloads if left unpatched. This is particularly relevant for sectors handling regulated data such as finance, healthcare, and government. The vulnerabilities could also undermine trust in hardware-based security mechanisms, complicating compliance with European data protection regulations like GDPR. The overall impact is medium severity but could escalate if combined with other attack vectors or in high-value target environments.

European organizations should prioritize obtaining and applying firmware updates from their hardware and system vendors that address these PCIe IDE vulnerabilities. They should verify that their systems comply with the updated PCIe 6.0 standard and Erratum #1 guidance from PCI-SIG. Implement strict physical security controls to prevent unauthorized local access to servers and workstations, including secure data center access policies and hardware tamper detection. Employ hardware attestation and runtime integrity monitoring to detect anomalous behavior indicative of PCIe interface compromise. Segregate sensitive workloads into isolated trusted execution environments and limit PCIe device exposure where possible. Conduct thorough supply chain risk assessments to ensure hardware components are sourced from trusted vendors with timely patch support. Additionally, organizations should monitor for firmware update advisories from Intel, AMD, and other component manufacturers and integrate these updates into their patch management lifecycle promptly. Finally, enhance insider threat detection capabilities to identify attempts to exploit local access vulnerabilities.