#VU119815 Improper validation of integrity check value in PCI Express (PCIe) Base Specification - CVE-2025-9612
Published: December 10, 2025
Vulnerability identifier: #VU119815
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-9612
CWE-ID: CWE-354
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
PCI Express (PCIe) Base Specification
PCI Express (PCIe) Base Specification
Software vendor:
PCI-SIG
PCI-SIG
Description
The vulnerability allows an attacker to bypass implemented security restrictions.
The vulnerability exists due to an error in the PCIe IDE protocol’s Transaction Layer Packet (TLP) ordering enforcement mechanism as described in PCI Express (PCIe) Base Specification. A local user or attacker with physical access to the system can perform a Man-in-the-Middle (MITM) attack to observe and reorder IDE protected TLPs without triggering detection at the receiver and violate integrity objectives that both IDE and TDISP are designed to uphold.
Remediation
The PCI-SIG has issued a Draft Engineering Change Notice (D-ECN) titled “IDE TLP Reordering Enhancement” to the Base Specification Rev 7.0. The D-ECN feature will be included in upcoming PCI specifications (Base 6.5 and 7.1) and can also be used in current Base 5.x systems through standard compliance procedures.