Description
Unrestricted IP address binding in the AMD Device Metrics Exporter (ROCm ecosystem) could allow a remote attacker to perform unauthorized changes to the GPU configuration, potentially resulting in loss of availability
Published: 2026-05-15
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An exploit for the AMD Device Metrics Exporter in the ROCm ecosystem permits a remote attacker to bind to any IP address and authorize changes to GPU configuration settings. The vulnerability, identified as CWE-1327, could allow an attacker to modify or disable GPU operational parameters, directly impacting system availability by disrupting compute workloads or rendering the GPU unusable.

Affected Systems

AMD Instinct products affected include the MI210, MI250, MI250X, MI300A, MI300X, MI308X, MI325X, MI350X, and MI355X. No specific version ranges are listed, so all current releases of these GPUs that include the ROCm Device Metrics Exporter are considered vulnerable.

Risk and Exploitability

The CVSS score of 9.2 indicates a high severity issue. EPSS data is not provided, and the vulnerability is not listed in the CISA KEV catalog, but the remote nature of the exporter suggests that the attack is feasible over a network. The likely attack vector is remote, with an attacker potentially controlling GPU configuration without local access. Given the critical role of GPUs in many workloads, the risk is high and the potential for widespread service disruption is significant.

Generated by OpenCVE AI on May 15, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Follow AMD security bulletin AMD-SB-6031 and install the latest ROCm kernel updates or GPU firmware that implements the IP binding restriction fix
  • Apply firewall rules to restrict access to the AMD Device Metrics Exporter service, or configure it to bind only to the loopback interface if remote access is not required
  • If the exporter is not essential, stop or uninstall the AMD Device Metrics Exporter process to eliminate the attack surface

Generated by OpenCVE AI on May 15, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Amd
Amd instinct Mi210
Amd instinct Mi250
Amd instinct Mi300a
Amd instinct Mi300x
Amd instinct Mi308x
Amd instinct Mi325x
Vendors & Products Amd
Amd instinct Mi210
Amd instinct Mi250
Amd instinct Mi300a
Amd instinct Mi300x
Amd instinct Mi308x
Amd instinct Mi325x

Fri, 15 May 2026 05:45:00 +0000

Type Values Removed Values Added
Title Unrestricted IP Binding Allows Remote Unauthorized GPU Configuration Changes on AMD Instinct GPUs

Fri, 15 May 2026 04:30:00 +0000

Type Values Removed Values Added
Description Unrestricted IP address binding in the AMD Device Metrics Exporter (ROCm ecosystem) could allow a remote attacker to perform unauthorized changes to the GPU configuration, potentially resulting in loss of availability
Weaknesses CWE-1327
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Amd Instinct Mi210 Instinct Mi250 Instinct Mi300a Instinct Mi300x Instinct Mi308x Instinct Mi325x
cve-icon MITRE

Status: PUBLISHED

Assigner: AMD

Published:

Updated: 2026-05-15T11:11:51.087Z

Reserved: 2025-12-06T15:11:33.632Z

Link: CVE-2026-0481

cve-icon Vulnrichment

Updated: 2026-05-15T11:11:43.899Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-15T05:16:33.590

Modified: 2026-05-15T14:10:17.083

Link: CVE-2026-0481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:15:25Z

Weaknesses