June 11, 2026

Patch me if you can

Article URL →HN comments →

The RCE that AMD wouldn't fix

AMD got caught with a risky updater and the internet was not in a forgiving mood

TLDR: A researcher found AMD software could be tricked into downloading and running the wrong file, and AMD first treated it like a rules issue instead of a payout-worthy bug. Commenters are fighting over whether that’s reasonable process or corporate nonsense, with plenty of mockery over such a basic mistake.

What started as one gamer being annoyed by a mystery pop-up on a new PC turned into the kind of tech scandal commenters love to feast on. The researcher dug into AMD’s update tool, found it could grab files in an unsafe way, and realized someone on the same network could potentially swap in a bad download. In plain English: a background updater for some AMD software could be tricked into running the wrong thing. AMD’s bug bounty partner first brushed it off as out of scope, which is where the real popcorn moment began.

On Hacker News, the crowd split into camps instantly. One side went full “this is outrageous”, with critics saying regular users don’t care about corporate rulebooks, they care that risky software shipped at all. Another side played cleanup crew, pointing out AMD didn’t say the bug was fake — only that it didn’t qualify for prize money. That distinction mattered a lot to security veterans, but to angry readers it sounded like classic bureaucratic dodgeball. Then came the extra drama: AMD later said it would review it, issue a formal flaw ID, and fix it — but still wanted the blog post taken down and hinted the wait could stretch beyond the usual timeline.

The funniest reactions were also the bleakest: people joked that this wasn’t elite hacker wizardry, just forgotten software doing embarrassingly basic things wrong. Others escalated fast into spy-movie territory, warning that the kind of attacker who could abuse this might be a nation-state sitting on network links. In short, the comments turned a niche security report into a messy morality play about trust, red tape, and whether “optional tool” is the weakest excuse in tech this week.

Key Points

  • The article says AMD AutoUpdate used HTTP for executable downloads even though its update feed URL was served over HTTPS.
  • The author states the updater executed downloaded files without certificate or signature validation, creating a potential remote code execution path via man-in-the-middle tampering.
  • AMD’s bug bounty process initially marked the report out of scope because the issue involved a MITM scenario and an optional tool.
  • After further internal review, AMD told the author it would issue a CVE, implement a fix, and provide researcher recognition.
  • AMD indicated the disclosure timeline would likely extend beyond the commonly cited 90-day standard because more tools than Ryzen Master appeared to be affected.

Hottest takes

"AMD didn't deny it was a vulnerability; they denied it was in the scope of the bounty program" — tptacek
"Such a bug could have been exploited by certain big state actors" — sakkura
"the rest of us should give them, and those who operate them, zero respect" — Hizonner

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.