GoKawiilWTF?! AMD has patched a remote code execution vulnerability in its auto-updater software, but there's a lot more to this story. The company is facing a slew of criticism over how it handled the researcher who reported it. Team Red first dismissed the bug as "out of scope," then asked him to stay quiet, then changed its rules after the fact to make that silence a requirement.
The vulnerability was discovered by security researcher MrBruh after an AMD updater console window kept appearing on his new gaming PC.
Decompiling the software revealed that while AMD's updater pulled its update list over HTTPS, the executable download links themselves used plain HTTP. Worse still, the updater apparently performed no certificate validation or real signature check before running the downloaded file.
That vulnerability could allow a man-in-the-middle attack. Someone on the same network, or in a position to interfere with the connection further upstream, could potentially replace AMD's update file with a malicious executable. Because the updater runs with elevated privileges, the result could be remote code execution.
After discovering it on January 27, MrBruh reported the issue to AMD on February 6 through its bug bounty program. The company's response was to close the report because it was deemed "out of scope," as it involved a man-in-the-middle attack and affected optional tools. That meant no bounty, despite the bug later receiving CVE-2026-40677 and a CVSS 4.0 score of 7.7. The full process lasted 124 days, with the embargo ending on June 9.
After MrBruh published his findings and the post gained traction on Hacker News, AMD's internal PSIRT team reappeared to say the issue was still being reviewed. The company then asked him to take the post down while it worked on a fix, saying the disclosure did not appear to comply with the program's terms.
According to Gamers Nexus, AMD later changed the wording of its bug bounty rules to state that researchers must not disclose vulnerability information without AMD's written consent even if a report is deemed ineligible for a bounty or out of scope. It seems AMD accused MrBruh of breaking a rule it introduced only after he violated it.
AMD's official bulletin now acknowledges the vulnerability and credits MrBruh. It lists AMD Ryzen Master 2.14.3, AMD µProf 5.3, and AMD Management Console 14.0.0 as mitigated versions. But the patch still raises questions.
AMD told MrBruh that all update communications now use HTTPS and that updates undergo signature verification. The researcher says he verified the HTTPS claim, but found only a CRC32 check on the downloaded executable, which is not considered a cryptographic signature.
MrBruh also says a separate redirection bug means the updater may not be able to update itself properly. He recommends that users fully uninstall AMD's software and download the latest versions manually from the company's website instead.