Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (AMD) · only source for this CVE.
CVSS VectorVendor: AMD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Improper access control in AMD uProf may allow a local attacker with user privileges to write to the kernel-shared memory section, potentially resulting in crash or denial of service.
AnalysisAI
Improper access control in AMD µProf exposes a kernel-shared memory section to low-privileged local users, enabling writes that can crash the system or cause a denial of service. All AMD µProf versions prior to 5.3 are affected across supported platforms. No public exploit code has been identified and this CVE is not listed in CISA KEV, but the CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N) indicates straightforward local exploitation requiring only basic user privileges with no additional complexity or user interaction.
Technical ContextAI
AMD µProf (Micro Profiler) is a performance analysis and profiling tool for AMD processors and GPUs, requiring kernel-level integration to access hardware performance monitoring units and counters. This design necessitates shared memory sections bridging user-mode processes and the kernel. The listed CWE is CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), but the vulnerability description centers on a write primitive to a kernel-shared memory region - behavior more characteristic of CWE-284 (Improper Access Control) or CWE-732 (Incorrect Permission Assignment for Critical Resource). This CWE assignment discrepancy is noted and may reflect a secondary information exposure aspect, but the primary exploitable condition is the lack of write-access enforcement on a memory region that should be kernel-exclusive or read-only from user space. The CPE string cpe:2.3:a:amd:amd_µprof:*:*:*:*:*:*:*:* confirms all prior releases are in scope.
RemediationAI
Upgrade AMD µProf to version 5.3, which is the vendor-released patch confirmed by both EUVD-2026-35767 and AMD Security Bulletin AMD-SB-9025 (https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9025.html). If immediate patching is not feasible, restrict local user access to the µProf binaries and associated kernel driver or kernel module using filesystem access control lists (ACLs) or discretionary access controls, limiting execution to specific trusted accounts only - note this may break legitimate profiling workflows for affected users. On multi-user or production systems where AMD µProf is not actively required, uninstalling the tool and unloading its kernel components eliminates the attack surface entirely with no functional trade-off for non-developer systems. Do not rely on network-layer controls, as this is a local attack vector (AV:L).
Man-in-the-middle attacks against AMD's optional desktop tools - AMD Management Console (AMC), AMD Ryzen Master, and AMD
Unrestricted resource allocation in AMD µProf allows a local low-privileged user to consume excessive system resources,
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35767
GHSA-6xjp-685p-944f