Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (AMD) · only source for this CVE.
CVSS VectorVendor: AMD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted resource allocation in AMD uProf may be exploitable to consume excessive system resources, potentially leading to a loss of availability.
AnalysisAI
Unrestricted resource allocation in AMD µProf allows a local low-privileged user to consume excessive system resources, resulting in a loss of availability (denial of service). The CVSS 4.0 score of 6.8 reflects a locally exploitable, low-complexity attack requiring only low privileges with no user interaction needed. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; however, the straightforward nature of resource exhaustion attacks makes it a realistic local threat on systems where AMD µProf is deployed.
Technical ContextAI
AMD µProf (Micro Profiler) is a CPU and platform performance analysis tool designed for AMD processors, used primarily by developers and system administrators to profile application performance. The affected software is identified via CPE cpe:2.3:a:amd:amd_µprof:*:*:*:*:*:*:*:*. The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling), a class of vulnerability where the application fails to enforce upper bounds on how many resources (memory, CPU cycles, file handles, etc.) a caller can request or consume. Without such limits, a low-privileged local process can repeatedly invoke the vulnerable code path, driving the host system toward resource exhaustion and triggering a denial-of-service condition.
RemediationAI
The primary fix is to upgrade AMD µProf to version 5.3, which addresses this vulnerability per AMD Security Bulletin AMD-SB-9025 (https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9025.html) and confirmed by EUVD-2026-35768. If immediate patching is not feasible, restrict execution of AMD µProf to authorized administrator accounts only, removing access for general or low-privileged users - this eliminates the PR:L attack surface by ensuring only trusted users can invoke the tool. Additionally, deploying resource quota controls at the OS level (e.g., ulimit on Linux, Job Objects on Windows) to cap per-process CPU and memory consumption can limit the blast radius of a triggered event, though this is a compensating control and not a substitute for patching. Note that restricting access to µProf may impact developer workflows on shared systems, and OS-level quotas could interfere with legitimate profiling sessions if set too aggressively.
Man-in-the-middle attacks against AMD's optional desktop tools - AMD Management Console (AMC), AMD Ryzen Master, and AMD
Improper access control in AMD µProf exposes a kernel-shared memory section to low-privileged local users, enabling writ
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35768
GHSA-pmpj-jgh3-696q