CVE-2026-0432 Overview
CVE-2026-0432 affects the AMD chipset driver, where incorrect default permissions on the installation directory allow a local attacker to achieve privilege escalation and arbitrary code execution. The flaw is classified under [CWE-276: Incorrect Default Permissions]. A low-privileged local user can leverage the weak directory access controls to plant or modify executable content that runs in a higher-privileged context. AMD documented the issue in security bulletins AMD-SB-3047 and AMD-SB-4015.
Critical Impact
A local attacker with low privileges can escalate to SYSTEM-level code execution on Windows hosts running affected AMD chipset driver installations, undermining endpoint confidentiality, integrity, and availability.
Affected Products
- AMD chipset driver (see AMD-SB-3047)
- AMD chipset driver installation directory components referenced in AMD-SB-4015
- Windows systems running vulnerable AMD chipset driver builds
Discovery Timeline
- 2026-05-15 - CVE-2026-0432 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-0432
Vulnerability Analysis
The AMD chipset driver installer creates its installation directory with permissions that grant write or modify access to non-administrative users. Files within this directory are later executed or loaded by privileged processes, including services running as NT AUTHORITY\SYSTEM. A local attacker who can write to the directory can replace a legitimate binary or drop a malicious DLL that is subsequently loaded by a privileged component. The result is arbitrary code execution at the privilege level of the loading process. The weakness is local in nature and requires the attacker to already hold a valid low-privileged account on the host.
Root Cause
The root cause is [CWE-276: Incorrect Default Permissions] on the chipset driver installation directory. The installer fails to apply restrictive Access Control Lists (ACLs) limiting write access to administrators and the SYSTEM account. Inherited or default permissions permit standard users to modify directory contents that are trusted by privileged code paths.
Attack Vector
Exploitation requires local access with low privileges and no user interaction. An attacker identifies a writable file or path within the AMD chipset driver installation directory that is invoked by a privileged service, scheduled task, or update routine. The attacker replaces the target with a malicious payload. When the privileged process next executes or loads the file, the attacker's code runs at the elevated privilege level. The technical details of file paths and impacted components are described in the AMD advisories linked above.
Detection Methods for CVE-2026-0432
Indicators of Compromise
- Unexpected writes by non-administrative users to AMD chipset driver installation paths under Program Files or vendor-specific directories.
- New or modified executables, DLLs, or scripts in the AMD chipset driver directory that lack a valid AMD digital signature.
- Child processes spawned by AMD driver services or installer components that do not match known-good baselines.
Detection Strategies
- Monitor file integrity on the AMD chipset driver installation directory and alert on modifications by non-privileged Security Identifiers (SIDs).
- Audit directory ACLs using icacls against a baseline to identify weak permissions allowing BUILTIN\Users write access.
- Correlate privileged process loads of DLLs from user-writable paths with prior write events from low-privileged accounts.
Monitoring Recommendations
- Enable Windows object access auditing on the AMD chipset driver directory and forward events 4663 and 4670 to a centralized log platform.
- Track service starts and binary loads from the affected directory for anomalies in parent process lineage.
- Inventory hosts running vulnerable AMD chipset driver versions to scope exposure across the fleet.
How to Mitigate CVE-2026-0432
Immediate Actions Required
- Apply the updated AMD chipset driver release referenced in AMD-SB-3047 and AMD-SB-4015.
- Inventory all Windows endpoints with AMD chipset drivers and prioritize multi-user systems and shared workstations.
- Restrict interactive logon on servers and developer workstations until patches are deployed.
Patch Information
AMD has published guidance and fixed driver versions in the official security bulletins. Refer to AMD-SB-3047 and AMD-SB-4015 for the specific driver builds that remediate the incorrect default permissions on the installation directory.
Workarounds
- Manually tighten ACLs on the AMD chipset driver installation directory to remove write and modify rights from BUILTIN\Users and other non-administrative principals.
- Enforce application control policies such as Windows Defender Application Control (WDAC) or AppLocker to block execution of unsigned binaries from the affected directory.
- Limit local account privileges and remove standard users from groups that permit interactive logon on sensitive hosts.
# Configuration example - audit and restrict permissions on the AMD chipset driver directory
icacls "C:\Program Files\AMD\Chipset_Software"
icacls "C:\Program Files\AMD\Chipset_Software" /remove:g "BUILTIN\Users"
icacls "C:\Program Files\AMD\Chipset_Software" /inheritance:r
icacls "C:\Program Files\AMD\Chipset_Software" /grant:r "NT AUTHORITY\SYSTEM:(OI)(CI)F" "BUILTIN\Administrators:(OI)(CI)F" "BUILTIN\Users:(OI)(CI)RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
