CVE-2024-36333 Overview
CVE-2024-36333 is a DLL hijacking vulnerability in the AMD Cleanup Utility, a tool used to remove AMD graphics driver components from Windows systems. The flaw stems from insecure library loading behavior tracked as [CWE-427: Uncontrolled Search Path Element]. An attacker who can place a malicious Dynamic Link Library (DLL) in a directory searched by the utility can achieve privilege escalation and arbitrary code execution in the context of the running process. The vulnerability affects the AMD Cleanup Utility and a wide range of AMD Radeon Pro workstation graphics products that rely on the affected Radeon Software stack.
Critical Impact
Successful exploitation allows local attackers to load attacker-controlled code with elevated privileges, leading to arbitrary code execution on the target Windows host.
Affected Products
- AMD Cleanup Utility version 25.20.00.00
- AMD Radeon Software (Pro edition)
- AMD Radeon Pro workstation GPUs including Radeon Pro VII, W5500/W5500X, W5700/W5700X, W6300/W6300M, W6400, W6500M, W6600/W6600M/W6600X, W6800/W6800X/W6800X Duo, and W6900X
Discovery Timeline
- 2026-05-15 - CVE-2024-36333 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2024-36333
Vulnerability Analysis
The AMD Cleanup Utility is typically executed with elevated rights to remove driver files, registry entries, and services associated with AMD Radeon graphics components. The utility loads one or more libraries during initialization without enforcing a fully qualified path or signature validation. This behavior maps directly to CWE-427, where an application resolves a library name through the standard Windows search order rather than from a trusted, fixed location.
Because exploitation requires local access and user interaction to launch the utility, the attack is constrained to scenarios where an adversary already has a foothold on the host or can stage a malicious file in a writable directory. Once the planted DLL is loaded, code runs at the privilege level of the cleanup utility process, which is generally elevated.
Root Cause
The root cause is uncontrolled search path resolution during DLL loading. When the AMD Cleanup Utility calls a library by name without specifying an absolute path, Windows searches a defined sequence of locations, including the application's working directory. An attacker who controls any directory earlier in the search order than the legitimate library location can substitute a malicious DLL with the same filename.
Attack Vector
Exploitation is local and requires low privileges plus user interaction to start the utility. A typical attack chain involves an adversary placing a crafted DLL in a location reached by the Windows library search order, such as the directory from which the cleanup utility is launched. When a user or administrator runs the AMD Cleanup Utility, the malicious DLL is loaded into the elevated process, granting the attacker code execution with the utility's privileges. Refer to the AMD Security Bulletin AMD-SB-6027 for vendor technical detail.
Detection Methods for CVE-2024-36333
Indicators of Compromise
- Unsigned or unexpected DLL files located in the same directory as AMDCleanupUtility.exe or in user-writable directories preceding system paths in the load order.
- Process creation events showing the AMD Cleanup Utility spawning unexpected child processes such as cmd.exe, powershell.exe, or rundll32.exe.
- Module load events where the cleanup utility process loads DLLs from non-standard paths like %TEMP%, %USERPROFILE%\Downloads, or removable media.
Detection Strategies
- Hunt for image load telemetry where AMD Cleanup Utility processes load DLLs from paths outside Program Files, Windows\System32, or AMD's signed installation directories.
- Alert on Authenticode signature mismatches where a DLL loaded by the AMD utility is unsigned or signed by an unexpected publisher.
- Correlate file creation in download or temp directories with subsequent execution of the AMD Cleanup Utility within a short time window.
Monitoring Recommendations
- Enable Sysmon Event ID 7 (Image Loaded) and forward to a SIEM to baseline expected DLL load paths for AMD utilities.
- Track process integrity level transitions when administrative tools execute from user-controlled directories.
- Review endpoint logs for users running driver maintenance tools from non-standard locations such as removable drives or shared folders.
How to Mitigate CVE-2024-36333
Immediate Actions Required
- Download and run the AMD Cleanup Utility only from the official AMD download portal and execute it from a clean, fully qualified path such as C:\Temp\AMDCleanupUtility\.
- Restrict the directory containing the utility so that only administrators have write access, preventing low-privilege users from staging malicious DLLs.
- Avoid running the utility from Downloads, removable media, or any directory that allows write access to standard users.
Patch Information
AMD has published guidance and a fixed version through AMD Security Bulletin AMD-SB-6027. Administrators should obtain the latest AMD Cleanup Utility build and updated AMD Radeon Software Pro Edition packages from AMD and replace any locally cached copies of version 25.20.00.00.
Workarounds
- Execute the AMD Cleanup Utility only from directories that enforce administrator-only write permissions, eliminating the planting opportunity.
- Remove the utility binary from endpoints when not actively in use, and re-download fresh copies from AMD before each maintenance session.
- Apply application control policies such as Windows Defender Application Control or AppLocker to block execution of unsigned DLLs in user-writable paths.
# Example: use icacls to restrict write access on the utility's working directory
icacls "C:\Tools\AMDCleanupUtility" /inheritance:r
icacls "C:\Tools\AMDCleanupUtility" /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F" "Users:(OI)(CI)RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
