Completion Timeout Redirection / CVE-2025-9613 / INTEL-SA-01409

Disclosure date: 2025-12-09 Published date: 2025-12-09

Severity rating: 3.0 Low

Industry-wide severity ratings can be found in the National Vulnerability Database

Related Content

• INTEL-SA-01409

Overview

TEE Device Interface Security Protocol (TDISP) and Integrity and Data Encryption (IDE) are industry-standard protocols which were first introduced in the PCI Express (PCIe) Base Specification Revision 6.0. These protocols are used by Intel® Trust Domain Extensions Connect (Intel® TDX Connect) to enforce confidentiality and integrity isolation between TEE Device Interfaces (TDIs) exposed by some PCIe devices while they are being used by Trust Domains (TDs). However, a gap in the current TDISP standard exposes a potential security vulnerability known as Completion Timeout Redirection (CTR). A malicious privileged software adversary may be able to induce Completion timeouts within PCIe IDE traffic to cause memory-mapped I/O (MMIO) read responses (called Completions) intended for one TD to be redirected to a second TD. CTR may therefore allow the first TD’s MMIO Completion data to become observable to the second TD (a confidentiality violation) or may allow the second TD to consume incorrect MMIO Completion data (an integrity violation). The current TDISP specification does not define a policy to securely handle this scenario. Consequently, CTR can affect all compliant platforms, including Intel products.

Intel recommends that programmable PCIe switches should not be used in Intel® TDX Connect and IDE deployments that involve an affected processor; see Affected Products. 

CTR has been assigned non-Intel issued CVE-2025-9613 with a base score of 3.0 Low CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N.

Background

When a host processor issues an MMIO read to a PCIe-connected device, the processor generates a read request (also called a Non-Posted Request or NPR) with a unique tag and sends it over the PCIe interconnect fabric to the device. When the device receives the NPR, it typically responds by sending a Completion, which carries the same tag. When the processor receives the Completion, it uses this tag to match the Completion with the NPR that initiated the request and deliver the data included in the Completion to the software component that triggered the MMIO read.

The PCIe specification also defines a mechanism called Completion Timeout that allows the processor to release the tag associated with an NPR if it has not received a matching Completion within a configurable time duration.

In the Intel TDX Connect threat model, a malicious privileged software adversary may be able to induce completion timeouts for NPRs initiated by TDs. This can potentially allow a Completion intended for one TD to be falsely redirected to a different TD. Consider the following example involving two TDs:

1. TD1 issues NPR1 and the processor assigns Tag X.
2. NPR1 experiences a completion timeout and the processor releases Tag X, allowing it to be reused by another request.
3. TD2 issues NPR2 and the processor assigns Tag X. 
4. NPR1 and NPR2 reach their respective TDIs and generate associated Completion1 and Completion2, both with Tag X. 
5. Completion1 reaches the processor first and is matched by its tag with NPR2; consequently, TD2 consumes data that was intended for TD1.

The current TDISP specification does not define a policy to securely handle this scenario.

Impact

On potentially affected Intel® platforms, CTR only affects Intel® TDX Trust Domains that use Intel TDX Connect to communicate with PCIe devices. If the data path between the host and device includes a PCIe switch that can be reprogrammed by the host, such as a switch with an integrated FPGA controller, this may allow a privileged software adversary to manipulate PCIe traffic to trigger completion timeouts and cause two outstanding Completions to have the same tag.

CTR can impact the confidentiality and integrity of MMIO reads issued by TDs. In the context of the example described above:

• If TD2 is malicious, then TD2 may be able to observe data from an MMIO read that was initiated by TD1. This scenario can potentially impact the confidentiality of TD1.
• If TD1 is malicious, then TD2 may inadvertently consume data from an MMIO read that was initiated by TD1. This scenario can potentially impact the integrity of TD1.

Note that MMIO reads initiated by TDs or VMs are typically used to read values in status and control registers on the connected device.

Mitigation

Intel is collaborating with PCI-SIG and industry partners to update the TDISP specification to address this standard-level gap and incorporate new implementation guidance for hardware vendors to address CTR. Future Intel® processors may adopt mitigations recommended by the revised TDISP specification.

Intel recommends that programmable PCIe switches should not be used in Intel TDX Connect deployments that involve affected processors. Although this approach does not fully mitigate CTR, it can reduce a privileged software adversary’s ability to reliably cause completion timeouts and tag collisions. Also note that this approach may not prevent physical attacks on a PCIe link, such as using a purpose-built interposer instead of a programmable switch to maliciously cause completion timeouts. Physical attacks such as this one are within the scope of IDE’s threat model.

Intel and its industry partners continue to study CTR, and Intel may provide further guidance to harden affected Intel processors.