Intel Xeon 6 CVE-2025-32086: Brief Summary of DDRIO Security Check Vulnerability

This post provides a brief summary of CVE-2025-32086, a high-severity vulnerability in Intel Xeon 6 processors related to an improperly implemented security check in DDRIO configuration when using SGX or TDX. The summary covers affected versions, technical details, and vendor security history based on available public sources.
CVE Analysis

6 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-12

Intel Xeon 6 CVE-2025-32086: Brief Summary of DDRIO Security Check Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Privilege escalation flaws in server CPUs can undermine trusted execution and confidential computing in enterprise and cloud environments. CVE-2025-32086 impacts Intel Xeon 6 processors, exposing a security gap in DDRIO configuration when using Intel SGX or TDX. This vulnerability is rated high severity (CVSS 7.2) and is relevant for organizations relying on hardware-based isolation for sensitive workloads.

Intel is the dominant supplier of server processors globally, with Xeon CPUs powering a significant share of data center and enterprise infrastructure. Intel SGX (Software Guard Extensions) and TDX (Trust Domain Extensions) are widely used for confidential computing and trusted execution, making vulnerabilities in these features critical for security teams.

Technical Information

CVE-2025-32086 is caused by an improperly implemented security check for standard in the DDRIO configuration of Intel Xeon 6 processors. DDRIO (Data Direct I/O) enables direct I/O to processor cache, bypassing main memory for performance gains. When SGX or TDX is enabled, the flawed security check may allow a privileged local user to escalate privileges by circumventing isolation or validation mechanisms intended to protect secure enclaves or trust domains.

The vulnerability is classified under CWE-358 (Improperly Implemented Security Check for Standard), indicating that the processor does not correctly enforce protocol-specified security boundaries. Exploitation requires local privileged access. There are no public exploit details, code snippets, or detection methods available as of the advisory date.

Affected Systems and Versions

  • Intel Xeon 6 processors
  • Vulnerable when DDRIO is configured and either Intel SGX or Intel TDX is enabled
  • No additional version or SKU details are available in public sources

Vendor Security History

Intel has previously faced hardware security issues in similar subsystems. Notable examples include:

  • CVE-2024-48869: Improper restriction of software interfaces to hardware features in Xeon 6 with TDX or SGX
  • NetCAT (CVE-2019-11184): Side-channel attack on DDIO and RDMA
  • Multiple advisories in 2025 related to Xeon 6, SGX, and TDX

Intel typically responds with microcode updates, but the recurrence of such issues highlights ongoing challenges in securing complex CPU features.

References

Detect & fix
what others miss