• Category: Security
  • Status: confirmed
  • Sources: MrBruh disclosure, HN discussion
  • Summary: A researcher disclosure published when the embargo ended on 2026-06-09 shows AMD AutoUpdate fetched its download manifest over HTTPS but downloaded the referenced executables over unencrypted HTTP and ran them immediately with no signature verification, enabling man-in-the-middle remote code execution. AMD first rejected the report as out of scope on 2026-02-06, reversed the next day, committed to a CVE, and shipped a fix that removes the installer auto-updater and moves updates to the application layer with HTTPS and signature verification. A CVE number and affected version ranges are not yet published. An unrelated redirection bug had left the vulnerable code path unreachable in practice, and no in-the-wild exploitation is reported.
  • Why it matters: Unsigned update channels over plain HTTP remain a recurring supply chain weakness in vendor tooling; the timeline also documents how initial vendor triage dismissed an RCE-class report.

Send feedback on this story