AMD has rectified a remote code execution vulnerability in some of its software products. This vulnerability has been described as the least of the problems since how the company responded to the individual that brought this issue to light has caused uproar among members of the security community.
According to reports, the issue was first identified by security researcher MrBruh after noticing something odd happening to a gaming PC that he had just constructed. The appearance of an AMD updater console window led him to analyse how the tool works.
During the decompilation of the software, the expert realised the existence of one significant security hole. Although the software fetched its updates list via an encrypted connection using HTTPS, executable files were accessed using a regular HTTP connection.
Therefore, such updates had nothing but raw information during their transfer process because HTTPS does not apply to such a connection type. This problem did not end there since according to the security expert, AMD’s updater lacks both certificate verification and digital signature checks.
This resulted in a man-in-the-middle vulnerability, where an attacker having access to the same network or capable of intercepting traffic anywhere else could easily replace the genuine AMD updates with a malicious executable file. This would allow the attacker to use the privilege of the updater to execute commands on the attacked computer.
MrBruh contacted AMD regarding this issue using their bug bounty program on February 6, having found the problem on January 27.
He was taken aback by the company’s reply.
AMD Under Fire: Controversial Handling of Researcher Disclosure and Policy Changes
Firstly, AMD closed the report, considering it as out of scope. AMD was reportedly saying that the problem was related to a man-in-the-middle attack and affected optional software applications but not the company’s key products; hence it did not fall within the scope of the bug bounty program.
However, what shocked MrBruh was that later on, this vulnerability was assigned the CVE number CVE-2026-40677 with a CVSS severity score of 7.7.
The disclosure process lasted 124 days, with the embargo ending on June 9.
The controversy grew after MrBruh published details of his findings. His post gained attention on Hacker News, prompting AMD’s Product Security Incident Response Team (PSIRT) to revisit the issue.
AMD then asked the researcher to remove his public post while the company worked on a fix. According to reports, AMD claimed the disclosure might violate the terms of its bug bounty program.
That request became even more controversial when reports surfaced that AMD later updated its bug bounty rules. The revised language states that researchers must not publicly disclose vulnerability information without written permission from AMD, even if the report is considered out of scope or ineligible for a reward.
Critics argued that AMD appeared to be enforcing a rule that did not exist when the researcher originally disclosed the issue. This aspect of the case has generated as much discussion as the vulnerability itself.
AMD has released a formal security advisory admitting the vulnerability and thanking MrBruh for reporting it.
AMD’s Patching Flaw and the Importance of Cryptographic Verification
According to the announcement, the problem has been fixed in recent releases of AMD Ryzen Master 2.14.3, AMD µProf 5.3, and AMD Management Console 14.0.0.
Furthermore, the company informed the researcher that all update-related communications are now secured via HTTPS, while all downloaded update files are first checked for their integrity with a signature before the install begins.
However, the efficacy of the patch remains questionable.
As per the report of MrBruh, HTTPS protocol appears to be used in the entire update procedure; however, the software employs a CRC32 checksum validation of executable files instead of signature validation.
While this measure may help detect any accidental corruption of update files, CRC32 is not considered secure enough to prove the authenticity of any executable file, especially in regards to security purposes. Cryptographic signatures are commonly used for these purposes.
Moreover, MrBruh found out about another redirection flaw that might interfere with the correct functioning of the update program.
For the time being, MrBruh advises all users who have this issue to simply uninstall the software from their AMD products and install the latest versions manually from the AMD official site rather than using the updater to do so.
This case gives us two important takeaways. The first is that software update mechanisms should always be protected due to their inherently trusting nature. The second takeaway from this case study is that the reaction of a company to cybersecurity experts is often just as important as the fix itself
