CVE-2024-36334 Overview
CVE-2024-36334 is an improper verification of cryptographic signature vulnerability [CWE-347] affecting the AMD Radeon RGB tool. The flaw allows a malicious file placed in the installation directory to execute with elevated privileges. Successful exploitation can lead to arbitrary code execution on the affected host.
AMD disclosed the vulnerability in security bulletin AMD-SB-6027. The issue requires local access and user interaction, but combines high impact on confidentiality, integrity, and availability.
Critical Impact
A local attacker with low privileges who places a crafted file in the Radeon RGB tool installation directory can achieve arbitrary code execution at elevated privilege, enabling full host compromise.
Affected Products
- AMD Radeon RGB tool (see AMD-SB-6027 for affected versions)
- Systems with AMD Radeon software components installing the RGB tool
- Windows endpoints running the vulnerable AMD Radeon RGB utility
Discovery Timeline
- 2026-05-15 - CVE-2024-36334 published to the National Vulnerability Database
- 2026-05-15 - Last updated in NVD database
- Vendor advisory - AMD published security bulletin AMD-SB-6027
Technical Details for CVE-2024-36334
Vulnerability Analysis
The Radeon RGB tool loads files from its installation directory without correctly verifying their cryptographic signature. When the tool runs at elevated privileges, an attacker-controlled file placed in that directory inherits those privileges during execution.
This weakness maps to [CWE-347], Improper Verification of Cryptographic Signature. The signature check is either skipped, incorrectly implemented, or applied to the wrong artifact. As a result, the trust boundary between signed vendor components and untrusted local files collapses.
The vulnerability requires local access, low privileges, and user interaction, according to AMD's CVSS 4.0 vector. Exploitation does not require network access or kernel-level primitives. Once a malicious file is staged, normal use of the RGB tool triggers code execution.
Root Cause
The root cause is missing or incomplete signature validation on dependencies and modules loaded by the Radeon RGB tool. Trusted executables should validate the Authenticode signature of every loaded binary, configuration, or script. The RGB tool fails to enforce this check on files within its installation directory.
Attack Vector
An attacker with local access first writes a malicious payload into the Radeon RGB tool's installation directory. Write access may be obtained through a separate weakness, overly permissive directory ACLs, or a prior foothold on the system. When the tool runs or is launched by a higher-privileged user, the unsigned or improperly verified file is loaded and executed with the host process's privileges.
No verified public proof-of-concept code is available. The vulnerability is described in prose only because no realCodeExamples were provided. Refer to the AMD Security Bulletin #6027 for vendor-confirmed technical details.
Detection Methods for CVE-2024-36334
Indicators of Compromise
- Unsigned or unexpected executables, DLLs, or scripts in the Radeon RGB tool installation directory
- File modifications in the AMD installation path by non-installer processes
- Child processes of the Radeon RGB tool spawning command shells, powershell.exe, or cmd.exe
- New persistence entries created by the RGB tool process after a recent file drop
Detection Strategies
- Monitor file creation and modification events in the AMD Radeon installation directory using endpoint telemetry
- Alert on loads of unsigned modules by the Radeon RGB tool process
- Correlate low-privilege user file writes with subsequent elevated process execution from the same directory
- Hunt for anomalous child processes spawned by AMD Radeon binaries
Monitoring Recommendations
- Enable Windows process creation auditing (Event ID 4688) with command-line logging
- Capture image load events (Sysmon Event ID 7) for AMD Radeon executables
- Track integrity of the installation directory using file integrity monitoring
- Forward endpoint and Sysmon events to a centralized SIEM for retrospective hunting
How to Mitigate CVE-2024-36334
Immediate Actions Required
- Apply the AMD update referenced in AMD-SB-6027 as soon as it is available for your platform
- Inventory endpoints running the AMD Radeon RGB tool and prioritize patching workstations with multiple local users
- Restrict write permissions on the Radeon RGB installation directory to administrators only
- Remove the Radeon RGB tool from systems that do not require it
Patch Information
AMD has published remediation guidance in the AMD Security Bulletin #6027. Administrators should consult the bulletin for fixed versions and download links, then deploy the update through standard software distribution channels.
Workarounds
- Tighten NTFS ACLs on the Radeon RGB installation directory to deny write access to standard users
- Block execution of unsigned binaries from the installation path using Windows Defender Application Control or AppLocker
- Avoid running the Radeon RGB tool with administrative privileges where possible
- Uninstall the Radeon RGB tool on endpoints where RGB lighting control is not required
# Example: restrict write access to the Radeon RGB installation directory (PowerShell)
$path = "C:\Program Files\AMD\Radeon RGB"
icacls $path /inheritance:r
icacls $path /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F" "Users:(OI)(CI)RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
