WTF?! AMD has patched a distant code execution vulnerability in its auto-updater software program, however there’s much more to this story. The corporate is going through a slew of criticism over the way it dealt with the researcher who reported it. Workforce Purple first dismissed the bug as “out of scope,” then requested him to remain quiet, then modified its guidelines after the very fact to make that silence a requirement.
The vulnerability was found by safety researcher MrBruh after an AMD updater console window stored showing on his new gaming PC.
Decompiling the software program revealed that whereas AMD’s updater pulled its replace checklist over HTTPS, the executable obtain hyperlinks themselves used plain HTTP. Worse nonetheless, the updater apparently carried out no certificates validation or actual signature examine earlier than working the downloaded file.
That vulnerability might permit a man-in-the-middle assault. Somebody on the identical community, or ready to intervene with the connection additional upstream, might probably change AMD’s replace file with a malicious executable. As a result of the updater runs with elevated privileges, the consequence may very well be distant code execution.
After discovering it on January 27, MrBruh reported the difficulty to AMD on February 6 by means of its bug bounty program. The corporate’s response was to shut the report as a result of it was deemed “out of scope,” because it concerned a man-in-the-middle assault and affected non-compulsory instruments. That meant no bounty, regardless of the bug later receiving CVE-2026-40677 and a CVSS 4.0 rating of seven.7. The total course of lasted 124 days, with the embargo ending on June 9.
After MrBruh printed his findings and the submit gained traction on Hacker Information, AMD’s inside PSIRT crew reappeared to say the difficulty was nonetheless being reviewed. The corporate then requested him to take the submit down whereas it labored on a repair, saying the disclosure didn’t seem to adjust to this system’s phrases.
Based on Avid gamers Nexus, AMD later modified the wording of its bug bounty guidelines to state that researchers should not disclose vulnerability data with out AMD’s written consent even when a report is deemed ineligible for a bounty or out of scope. It appears AMD accused MrBruh of breaking a rule it launched solely after he violated it.
AMD’s official bulletin now acknowledges the vulnerability and credit MrBruh. It lists AMD Ryzen Grasp 2.14.3, AMD µProf 5.3, and AMD Administration Console 14.0.0 as mitigated variations. However the patch nonetheless raises questions.
AMD informed MrBruh that every one replace communications now use HTTPS and that updates bear signature verification. The researcher says he verified the HTTPS declare, however discovered solely a CRC32 examine on the downloaded executable, which isn’t thought of a cryptographic signature.
MrBruh additionally says a separate redirection bug means the updater could not be capable to replace itself correctly. He recommends that customers absolutely uninstall AMD’s software program and obtain the most recent variations manually from the corporate’s web site as a substitute.
