MEDIUM 5.5

CVE-2026-28237: AMD uProf Resource Exhaustion Vulnerability – Patch Guidance

AMD uProf, a performance profiling tool used by developers and system administrators, contains a flaw in how it allocates system resources. An authenticated local user can trigger excessive resource consumption—such as memory or CPU—causing the application or system to become unresponsive or crash. This is a localized availability issue that does not expose data or allow privilege escalation, but it can disrupt legitimate work on affected machines.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-770
Affected products
3 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Unrestricted resource allocation in AMD uProf may be exploitable to consume excessive system resources, potentially leading to a loss of availability.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-28237 is an unrestricted resource allocation vulnerability (CWE-770) in AMD uProf. The vulnerability stems from insufficient bounds checking or rate limiting on resource requests, allowing an authenticated local attacker to exhaust system resources without proper throttling. The CVSS 3.1 score of 5.5 (MEDIUM) reflects the local attack vector, requirement for prior authentication, and impact limited to availability; no confidentiality or integrity impact is present.

Business impact

Organizations relying on AMD uProf for performance analysis and optimization workflows may experience service disruptions on affected systems. System administrators may face unplanned downtime or resource contention that interferes with legitimate profiling activities. The risk is bounded to the local system where uProf runs, so organizational-wide availability impact is unlikely unless uProf is central to critical analysis pipelines. Recovery typically requires restarting the affected service or system.

Affected systems

AMD uProf is the affected product. The vulnerability applies to the tool itself across supported platforms. Organizations should verify which versions of AMD uProf are deployed in their environment and whether they are actively used in production or development workflows. Consult AMD's security advisories for specific version ranges that require patching.

Exploitability

Exploitation requires local system access and valid user credentials on the machine where uProf is installed. An authenticated user with local login capabilities can trigger the resource exhaustion without elevated privileges. There is no remote attack vector, and accidental triggering is unlikely given the specific conditions needed. Active exploitation in the wild is not currently tracked; this is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

Remediation

Apply patches released by AMD for uProf. Update to the patched version specified in AMD's security advisory. Pending patch deployment, restrict local access to systems running uProf to trusted users only. Consider temporarily disabling or isolating uProf in non-critical environments if resource exhaustion events are observed.

Patch guidance

Check AMD's official security advisories and uProf release notes for patched versions. Patches should be tested in a non-production environment first, as performance profiling tools are often tightly integrated with build and analysis pipelines. Coordinate with development and infrastructure teams before applying updates. Verify the patch version against the vendor advisory before deployment.

Detection guidance

Monitor system resource utilization (CPU, memory) on machines running AMD uProf, particularly for anomalous spikes correlated with uProf process activity. Log authentication events for uProf access or administrative accounts that run it. Collect process-level metrics using system monitoring tools to identify resource exhaustion patterns. Alert on sustained high resource consumption from uProf processes that deviate from normal profiling workloads.

Why prioritize this

This vulnerability merits prompt attention for organizations actively using AMD uProf, but it is not critical. The MEDIUM severity rating reflects limited blast radius (local only), no data exposure risk, and the requirement for pre-existing authentication. Prioritize patching in development and test environments where uProf is most heavily used; then extend to production systems on a normal patch cycle.

Risk score, explained

The CVSS 3.1 score of 5.5 is driven by high availability impact (A:H) but mitigated by the local attack vector (AV:L) and requirement for low-privileged authentication (PR:L). No confidentiality or integrity impact is assigned. This places the vulnerability in the MEDIUM band—significant enough to warrant patching, but not an emergency.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The attack vector is local (AV:L), meaning the attacker must have access to the machine where AMD uProf is installed. There is no network-based exploitation path.

Do we need administrative privileges to trigger this vulnerability?

No. The CVSS vector indicates low privilege requirements (PR:L), so a standard user account on the local system is sufficient to trigger resource exhaustion.

Is there evidence of active exploitation?

No. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, and there are no current reports of weaponized exploitation in the wild.

What should we do while waiting for patches?

Restrict local access to systems running AMD uProf to authorized users only. Monitor system resources for anomalies. If you observe persistent resource exhaustion tied to uProf, consider temporarily disabling it or isolating affected systems until patches are available.

This analysis is based on the CVE record and vendor information current as of the publication date. Security posture, patch availability, and mitigation effectiveness may vary by environment. Organizations should verify all details against AMD's official security advisories and their own risk management policies. SEC.co makes no warranty regarding patch timelines, version numbers, or organizational applicability. Consult with AMD support and your internal security teams before implementing changes in production environments. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).