CVE-2026-28237 Overview
CVE-2026-28237 is a resource exhaustion vulnerability in AMD uProf, AMD's performance and power profiling tool. The flaw stems from unrestricted resource allocation [CWE-770], which a local authenticated attacker can abuse to consume excessive system resources. Successful exploitation leads to a denial-of-service condition on the affected host. The vulnerability requires local access and low privileges, and does not affect confidentiality or integrity.
Critical Impact
A local attacker with low-privileged access can trigger excessive resource consumption in AMD uProf, degrading or halting system availability.
Affected Products
- AMD uProf (refer to AMD Security Bulletin AMD-SB-9025 for affected versions)
Discovery Timeline
- 2026-06-09 - CVE-2026-28237 published to the National Vulnerability Database (NVD)
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-28237
Vulnerability Analysis
The vulnerability resides in AMD uProf, a profiling utility used to analyze application and system performance. AMD uProf fails to enforce limits on resource allocation during specific operations. A local attacker who can interact with the profiler can request operations that allocate memory, handles, or other system resources without bound. The result is exhaustion of finite system resources and a loss of availability for the host or affected services.
The weakness is classified under [CWE-770] Allocation of Resources Without Limits or Throttling. This class of flaw typically affects subsystems that accept user-controlled size parameters, iteration counts, or session counts without applying ceilings, quotas, or rate limiting. Exploitation does not require user interaction beyond initiating the attack and does not break process isolation, which is reflected in the local attack vector and the availability-only impact.
Root Cause
The root cause is missing throttling or capping logic on resource allocation paths inside AMD uProf. When the tool processes requests that drive allocations, it neither validates upper bounds nor enforces per-user or per-session quotas. Consult the AMD Security Bulletin AMD-SB-9025 for vendor-confirmed technical details and the affected component scope.
Attack Vector
Exploitation requires local access to a system running a vulnerable AMD uProf build and a low-privileged account with permission to invoke the profiler. The attacker triggers operations that drive uncontrolled resource allocation until the host exhausts memory, handles, or CPU. No code is published in vendor or third-party sources for this issue, and no public proof-of-concept is currently available. See the AMD Security Bulletin AMD-SB-9025 for further detail.
Detection Methods for CVE-2026-28237
Indicators of Compromise
- Sustained spikes in memory or handle counts attributed to AMD uProf processes such as AMDuProf or related profiling binaries.
- Repeated profiling sessions initiated by non-administrative users on workstations or servers where profiling is not part of normal operations.
- System instability, application crashes, or out-of-memory events correlated with AMD uProf activity in process telemetry.
Detection Strategies
- Inventory endpoints that have AMD uProf installed and flag those without a current patch level documented in AMD-SB-9025.
- Establish baselines for typical AMD uProf CPU and memory usage, then alert on deviations that indicate runaway allocation.
- Correlate AMD uProf process events with kernel low-memory warnings and Windows Event Log or dmesg OOM entries.
Monitoring Recommendations
- Track process creation events for AMD uProf executables and capture the invoking user, command line, and parent process.
- Monitor host-level resource counters such as private bytes, working set, and handle counts for profiler processes.
- Alert on AMD uProf launches by users outside an approved performance-engineering group.
How to Mitigate CVE-2026-28237
Immediate Actions Required
- Identify all hosts with AMD uProf installed and review the AMD Security Bulletin AMD-SB-9025 for fixed versions.
- Apply the AMD-supplied update to AMD uProf on every affected system as soon as the patched build is available in your environment.
- Restrict execution of AMD uProf to a defined group of trusted performance engineers and remove the tool from general-purpose workstations where it is not required.
Patch Information
AMD has published guidance for this issue in AMD Security Bulletin AMD-SB-9025. Administrators should consult the bulletin for the fixed AMD uProf version and apply updates through standard software distribution channels.
Workarounds
- Remove AMD uProf from systems where profiling is not an operational requirement.
- Enforce least privilege by restricting which local accounts can launch AMD uProf binaries using application control or file system ACLs.
- Apply operating system resource quotas, such as Windows Job Objects or Linux cgroups and ulimit, to cap memory and handle usage for the profiler process.
# Example: cap AMD uProf memory usage on Linux using systemd-run
systemd-run --scope -p MemoryMax=2G -p TasksMax=512 /opt/AMDuProf/bin/AMDuProfCLI collect --help
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

