Overview
- A researcher reported the bug to AMD in early February and found the updater could fetch executables over unencrypted HTTP, a design that could allow a man‑in‑the‑middle attacker to replace files and cause remote code execution.
- AMD closed the initial report as out of scope for its bounty program, asked the researcher to delay public disclosure, and later changed its bug‑bounty rules to require written consent before researchers publish findings.
- After a 124‑day process the company released mitigated builds on June 9 (Ryzen Master 2.14.3, µProf 5.3, Management Console 14.0.0) and assigned CVE‑2026‑40677 with a CVSS score of 7.7 while crediting the researcher.
- Security researchers dispute the fix’s strength because the updated client checks downloads using CRC32, which is not a cryptographic signature, and some reports say the vulnerable code path may never have been invoked in practice.
- The researcher advises users to uninstall affected AMD software and manually download the listed patched versions from AMD’s site, and the episode raises broader trust and disclosure concerns between vendors and security researchers.