CPU-Z Validation can be faked/ manipulated

Over the series of days, I and many of you guys have been seeing a series of websites putting up  CPU-Z screenshot leaks of unreleased processors and showing the overclocking potential (on boot, anyways) of the processor, like Haswell- and even GTX 700 series which claims to have DX12 support, but hack tricks have shown that CPU-Z validation can be hacked and approved by CPU-Z validation. But now personally I had doubts, that doubts have grown much stronger after knowing that CPU-Z validation file can be manipulated and approved.

According to the author, the validation information which can be saved locally lets it to export to either .txt or .html format. While the the writer did point out that CPU-Z has a good feature to validate a clock setting by using simple math, but also showed that CPU-Z can still be faked with an example as it doesn’t do any data integrity check of the validation file submitted by the user:


Despite the validator’s ability to check for the validity of overclocking speeds, the site does not seem to care about the integrity of the other data.  As you saw early in the post, it was possible to put an HTML link back to this website directly on the CPU-Z page.  In the wrong hands, it is theoretically possible to inject malicious code.  As long as client-side data is imported to the server without any checks, dangers exist.  How was this possible?  When the user clicks validate in CPU-Z, a buffer area 8192 bytes in size is created.  Each hardware specification is written into the buffer in Unicode format.  The entire buffer is then transformed into ASCII format, encrypted, and finally converted to a string to become the cvf format.

It should be noted that currently CPU-Z version 1.64 is available, and the writer showed it with 1.63, reality is that 1.64 version came on April 23th, 2013, whereas the article was put up on April 28th, 2013. The author did contact CPU-Z team on May 2nd, 2013 and told them about the issue to which he got a reply on May 4th.

If you look at CPU-Z 1.64’s version history, it simply provides support for Intel Atom “Cloverview” CPUs, Intel Ivy Bridge-E/EP/EX CPUs and AMD Richland APUs. But CPU-Z did say that they are working to fix the security issue.


CPU-Z team in the meanwhile quickly removed the validation link that was approved of the data which claimed to have 2600K clocked at 7360MHz.

Source: 1

Leave a Reply

Your email address will not be published. Required fields are marked *

Beyond News. Beyond Reviews. Beyond Guides & Recommendations.

Join the never ending discussions on never ending topics.
Previous Article

Benchmarks of retail Core i5-4570 and i7-4770K leaked

Next Article

Retail Packs of Intel Haswell CPUs on sale in China

Related Posts

Beyond News. Beyond Reviews. Beyond Guides & Recommendations.

Hardware BBQ is a PC hardware review, news and recommendations website. Typical of such PC hardware websites, I encourage two-way communication and discussions. Help us to help everybody by being a part of it. I am pretty active on Twitter. But for any detailed discussions and inquiries, you can always join the Discord group for any discussions.The future plans include streaming on Twitch, but I'll let you if and when that plan is made. Don't forget to follow the channel if you're interested.