Introduction
Privilege escalation flaws in server CPUs can undermine trusted execution and confidential computing in enterprise and cloud environments. CVE-2025-32086 impacts Intel Xeon 6 processors, exposing a security gap in DDRIO configuration when using Intel SGX or TDX. This vulnerability is rated high severity (CVSS 7.2) and is relevant for organizations relying on hardware-based isolation for sensitive workloads.
Intel is the dominant supplier of server processors globally, with Xeon CPUs powering a significant share of data center and enterprise infrastructure. Intel SGX (Software Guard Extensions) and TDX (Trust Domain Extensions) are widely used for confidential computing and trusted execution, making vulnerabilities in these features critical for security teams.
Technical Information
CVE-2025-32086 is caused by an improperly implemented security check for standard in the DDRIO configuration of Intel Xeon 6 processors. DDRIO (Data Direct I/O) enables direct I/O to processor cache, bypassing main memory for performance gains. When SGX or TDX is enabled, the flawed security check may allow a privileged local user to escalate privileges by circumventing isolation or validation mechanisms intended to protect secure enclaves or trust domains.
The vulnerability is classified under CWE-358 (Improperly Implemented Security Check for Standard), indicating that the processor does not correctly enforce protocol-specified security boundaries. Exploitation requires local privileged access. There are no public exploit details, code snippets, or detection methods available as of the advisory date.
Affected Systems and Versions
- Intel Xeon 6 processors
- Vulnerable when DDRIO is configured and either Intel SGX or Intel TDX is enabled
- No additional version or SKU details are available in public sources
Vendor Security History
Intel has previously faced hardware security issues in similar subsystems. Notable examples include:
- CVE-2024-48869: Improper restriction of software interfaces to hardware features in Xeon 6 with TDX or SGX
- NetCAT (CVE-2019-11184): Side-channel attack on DDIO and RDMA
- Multiple advisories in 2025 related to Xeon 6, SGX, and TDX
Intel typically responds with microcode updates, but the recurrence of such issues highlights ongoing challenges in securing complex CPU features.