B&R Industrial Automation GmbH has acknowledged publicly reported Linux kernel vulnerabilities affecting several of its products, following a CISA ICS advisory. The flaws carry a CVSS v3.1 base score of 7.8 (HIGH) and could allow a local attacker with low-privileged credentials to escalate privileges on affected systems.

Affected Products

  • Linux for B&R versions 12 and earlier
  • APROL versions prior to APROL-AutoYaST-DVD-V4.4-010.10.260602
  • X20EDS410 (all versions)

Vulnerabilities

Two CVEs are documented in the advisory. CVE-2026-31431 resides in the algif_aead kernel module, which handles authenticated encryption with associated data (AEAD) sockets via the AF_ALG interface. The issue involves incorrect in-place operation between separate memory mappings, classified under CWE-669 (Incorrect Resource Transfer Between Spheres). CVE-2026-43284 affects the kernel’s ESP-in-UDP path, where pages spliced from a pipe into an skb via MSG_SPLICE_PAGES were not correctly marked as shared, allowing ESP input to decrypt data in place over memory not privately owned by the skb.

Public proof-of-concept exploit code is available for both vulnerabilities. B&R stated it has no evidence of active exploitation targeting its products at the time of advisory publication.

Remediation

A patched APROL release (APROL-AutoYaST-DVD-V4.4-010.10.260602) is available. For other affected products, B&R advises customers to apply software updates as they become available and to conduct a risk assessment in the interim.

Mitigations and Workarounds

Because successful exploitation requires local access with low-privileged credentials, B&R recommends enforcing strict access control policies, auditing user account permissions, and disabling unused accounts on all affected Linux-based systems.

For Debian-based systems within an active support lifecycle, kernel patches addressing CVE-2026-31431 are available through official package repositories and can be applied with a standard apt update && apt upgrade followed by a system reboot.

As a temporary measure where immediate patching is not feasible, the algif_aead kernel module can be disabled by adding a modprobe blacklist entry and removing the currently loaded module. B&R notes this workaround does not affect dm-crypt/LUKS, IPsec/XFRM, OpenSSL, GnuTLS, kTLS, or SSH. However, applications explicitly configured to use the afalg engine or that bind AF_ALG sockets directly may be impacted. Administrators can check for active AF_ALG usage before applying this workaround using lsof | grep AF_ALG.

B&R emphasizes that customers are responsible for assessing whether any workaround interferes with existing application workloads before deploying changes in production environments.