Security
AMD denies $10,000 bounty for auto-updater RCE; CVE-2026-40677
- Category: Security
- Status: confirmed
- Sources: Tom's Hardware, researcher write-up, HN discussion
- Summary: A researcher (MrBruh) reported a remote code execution flaw in AMD's auto-update software, exploitable via a man-in-the-middle attack because the downloaded executable was validated only with a CRC32 check rather than a cryptographic signature. AMD initially closed the report as out of scope and paid no bounty; the issue was later assigned CVE-2026-40677 (CVSS 7.7) and took 124 days to patch, with the embargo ending 2026-06-09. After the write-up reached HN, AMD's bulletin acknowledged the vulnerability and credited the researcher.
- Why it matters: Software auto-updaters that skip signature verification are a direct supply-chain delivery path, and the disclosure-handling dispute affects whether researchers keep reporting to AMD.