Skip to main content

AMD uProf CVE-2026-0466

| EUVDEUVD-2026-35767 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-06-09 AMD GHSA-6xjp-685p-944f
6.8
CVSS 4.0 · Vendor: AMD
Share

Severity by source

Vendor (AMD) PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (AMD) · only source for this CVE.

CVSS VectorVendor: AMD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 20:01 vuln.today
CVSS changed
Jun 09, 2026 - 18:22 NVD
6.8 (MEDIUM)

DescriptionCVE.org

Improper access control in AMD uProf may allow a local attacker with user privileges to write to the kernel-shared memory section, potentially resulting in crash or denial of service.

AnalysisAI

Improper access control in AMD µProf exposes a kernel-shared memory section to low-privileged local users, enabling writes that can crash the system or cause a denial of service. All AMD µProf versions prior to 5.3 are affected across supported platforms. No public exploit code has been identified and this CVE is not listed in CISA KEV, but the CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N) indicates straightforward local exploitation requiring only basic user privileges with no additional complexity or user interaction.

Technical ContextAI

AMD µProf (Micro Profiler) is a performance analysis and profiling tool for AMD processors and GPUs, requiring kernel-level integration to access hardware performance monitoring units and counters. This design necessitates shared memory sections bridging user-mode processes and the kernel. The listed CWE is CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), but the vulnerability description centers on a write primitive to a kernel-shared memory region - behavior more characteristic of CWE-284 (Improper Access Control) or CWE-732 (Incorrect Permission Assignment for Critical Resource). This CWE assignment discrepancy is noted and may reflect a secondary information exposure aspect, but the primary exploitable condition is the lack of write-access enforcement on a memory region that should be kernel-exclusive or read-only from user space. The CPE string cpe:2.3:a:amd:amd_µprof:*:*:*:*:*:*:*:* confirms all prior releases are in scope.

RemediationAI

Upgrade AMD µProf to version 5.3, which is the vendor-released patch confirmed by both EUVD-2026-35767 and AMD Security Bulletin AMD-SB-9025 (https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9025.html). If immediate patching is not feasible, restrict local user access to the µProf binaries and associated kernel driver or kernel module using filesystem access control lists (ACLs) or discretionary access controls, limiting execution to specific trusted accounts only - note this may break legitimate profiling workflows for affected users. On multi-user or production systems where AMD µProf is not actively required, uninstalling the tool and unloading its kernel components eliminates the attack surface entirely with no functional trade-off for non-developer systems. Do not rely on network-layer controls, as this is a local attack vector (AV:L).

Share

CVE-2026-0466 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy