CISA Warns of Linux Kernel Flaws Affecting B&R Industrial Automation Products
CISA disclosed multiple Linux kernel vulnerabilities, including CVE-2026-31431, impacting B&R Industrial Automation products, with local privilege escalation risk and public PoCs available.
CISA published an advisory on June 23, 2026, detailing multiple Linux kernel vulnerabilities affecting B&R Industrial Automation GmbH products. The flaws, which include CVE-2026-31431 and CVE-2026-43284, allow local attackers to escalate privileges on affected systems. Public proof-of-concept exploits exist for the vulnerabilities, though no active exploitation targeting B&R products has been detected, according to the advisory.
The vulnerabilities span several categories: incorrect resource transfer between spheres, write-what-where conditions, improper privilege management, and out-of-bounds writes. CVE-2026-31431, a crypto subsystem bug in the kernel's AF_ALG AEAD socket interface, carries a CVSS v3.1 base score of 7.8 (HIGH). CVE-2026-43284, meanwhile, involves the ESP input path in the xfrm subsystem where decryption could operate in-place on shared, non-private skb fragments, leading to data corruption or privilege escalation.
Affected products include Linux for B&R versions up to and including 12, APROL versions below APROL-AutoYaST-DVD-V4.4-010.10.260602, and the X20EDS410 controller. The products are deployed worldwide across the critical manufacturing sector, according to CISA. All require local system access and low-privileged user credentials for successful exploitation, somewhat limiting the attack surface but still posing significant risk in multi-user or shared environments.
B&R and CISA have released patches and workarounds. For Debian-based systems within active support, kernel updates addressing CVE-2026-31431 are available via official package repositories (apt update && apt upgrade). Administrators can also temporarily mitigate CVE-2026-31431 by disabling the algif_aead kernel module via modprobe, which blocks the attack vector without affecting core encryption services like dm-crypt/LUKS, IPsec, or OpenSSL.
B&R has provided specific patch versions: APROL must be updated to APROL-AutoYaST-DVD-V4.4-010.10.260602 or later. Until patched, customers are urged to enforce strict access controls, audit user accounts, and test workarounds in non-production environments. The advisory notes that these measures block known attack vectors but do not remediate the underlying flaws.
This disclosure continues a pattern of kernel vulnerabilities requiring coordinated disclosure across embedded and industrial control system (ICS) vendors. Because B&R products often operate in critical manufacturing environments, even local privilege escalation could enable broader disruption. The availability of public PoCs raises the urgency for asset owners to apply patches or mitigations promptly.
Additional CVEs disclosed in the same advisory, such as CVE-2026-43284, further highlight the challenge of securing legacy Linux kernels in OT/ICS deployments. Security researchers have validated the PoCs, emphasizing the need for rapid patching despite the local-access requirement. CISA's inclusion of this advisory under its ICS program underscores the potential for industrial infrastructure impact.