Skip to main content

AMD µProf EUVDEUVD-2026-35768

| CVE-2026-28237 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-09 AMD GHSA-pmpj-jgh3-696q
6.8
CVSS 4.0 · Vendor: AMD
Share

Severity by source

Vendor (AMD) PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (AMD) · only source for this CVE.

CVSS VectorVendor: AMD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 20:00 vuln.today
CVSS changed
Jun 09, 2026 - 18:22 NVD
6.8 (MEDIUM)

DescriptionCVE.org

Unrestricted resource allocation in AMD uProf may be exploitable to consume excessive system resources, potentially leading to a loss of availability.

AnalysisAI

Unrestricted resource allocation in AMD µProf allows a local low-privileged user to consume excessive system resources, resulting in a loss of availability (denial of service). The CVSS 4.0 score of 6.8 reflects a locally exploitable, low-complexity attack requiring only low privileges with no user interaction needed. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; however, the straightforward nature of resource exhaustion attacks makes it a realistic local threat on systems where AMD µProf is deployed.

Technical ContextAI

AMD µProf (Micro Profiler) is a CPU and platform performance analysis tool designed for AMD processors, used primarily by developers and system administrators to profile application performance. The affected software is identified via CPE cpe:2.3:a:amd:amd_µprof:*:*:*:*:*:*:*:*. The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling), a class of vulnerability where the application fails to enforce upper bounds on how many resources (memory, CPU cycles, file handles, etc.) a caller can request or consume. Without such limits, a low-privileged local process can repeatedly invoke the vulnerable code path, driving the host system toward resource exhaustion and triggering a denial-of-service condition.

RemediationAI

The primary fix is to upgrade AMD µProf to version 5.3, which addresses this vulnerability per AMD Security Bulletin AMD-SB-9025 (https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9025.html) and confirmed by EUVD-2026-35768. If immediate patching is not feasible, restrict execution of AMD µProf to authorized administrator accounts only, removing access for general or low-privileged users - this eliminates the PR:L attack surface by ensuring only trusted users can invoke the tool. Additionally, deploying resource quota controls at the OS level (e.g., ulimit on Linux, Job Objects on Windows) to cap per-process CPU and memory consumption can limit the blast radius of a triggered event, though this is a compensating control and not a substitute for patching. Note that restricting access to µProf may impact developer workflows on shared systems, and OS-level quotas could interfere with legitimate profiling sessions if set too aggressively.

Share

EUVD-2026-35768 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy