AMD Auto Updater Had a Remote Code Execution Vulnerability
The case shows a gap between bug bounty program scope and actual security risk, with AMD's fix approach still drawing criticism from the researcher.
Reporting from 1 sources: GIGAZINE.
Security researcher MrBruh found a remote code execution vulnerability in AMD's Auto Updater. The tool downloads executables over HTTP without signature verification, allowing man-in-the-middle attacks. AMD initially rejected the report from its bug bounty program but later assigned CVE-2026-40677 and recommended updates to affected products.
MrBruh reported the flaw on February 6, 2026. Intigriti, which runs AMD's bug bounty program, closed the report the same day as ineligible because the attack requires a man-in-the-middle position. After the researcher's blog post gained traction on Hacker News, AMD's PSIRT reopened the case. AMD assigned CVE-2026-40677 and recommended updates to AMD Management Console, Ryzen Master, and µProf. But MrBruh says Ryzen Master's updated mechanism still uses only a CRC-32 check, not cryptographic signature verification, and calls AMD's explanation inaccurate. The updater also cannot handle redirects from ati.com to drivers.amd.com, which may crash the update process.
Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.