Security
AMD AutoUpdate downloaded and ran executables over plain HTTP without signature checks
- Category: Security
- Status: confirmed
- Sources: MrBruh disclosure, HN discussion
- Summary: A researcher disclosure published when the embargo ended on 2026-06-09 shows AMD AutoUpdate fetched its download manifest over HTTPS but downloaded the referenced executables over unencrypted HTTP and ran them immediately with no signature verification, enabling man-in-the-middle remote code execution. AMD first rejected the report as out of scope on 2026-02-06, reversed the next day, committed to a CVE, and shipped a fix that removes the installer auto-updater and moves updates to the application layer with HTTPS and signature verification. A CVE number and affected version ranges are not yet published. An unrelated redirection bug had left the vulnerable code path unreachable in practice, and no in-the-wild exploitation is reported.
- Why it matters: Unsigned update channels over plain HTTP remain a recurring supply chain weakness in vendor tooling; the timeline also documents how initial vendor triage dismissed an RCE-class report.