Impact of Linux Kernel vulnerabilities on B&R products

Summary

B&R Industrial Automation GmbH has acknowledged several Linux kernel vulnerabilities affecting their products. Successful exploitation could allow a local attacker with low privileges to escalate to root. Public proof-of-concept exploits are available, though B&R has no evidence of active exploitation targeting their products. Mitigation involves strict access control and disabling the algif_aead module for affected systems.

Full text

ICS Advisory Impact of Linux Kernel vulnerabilities on B&R products Release DateJune 23, 2026 Alert CodeICSA-26-174-06 Related topics: Industrial Control System Vulnerabilities , Industrial Control Systems View CSAF Summary B&R is aware of publicly reported vulnerabilities affecting the Linux kernel versions shipped with the products listed as affected in the advisory. Successful local exploitation of these vulnerabilities could allow an attacker to escalate privileges on the affected system. Public proof-of-concept exploits are available for the vulnerabilities described herein. At the time of publication of this advisory, B&R had no evidence of active exploitation targeting B&R products. The following versions of Impact of Linux Kernel vulnerabilities on B&R products are affected: Linux for B&R <=12 APROL <APROL-AutoYaST-DVD- V4.4-010.10.260602 X20EDS410 /all CVSS Vendor Equipment Vulnerabilities v3 7.8 B&R Industrial Automation GmbH Impact of Linux Kernel vulnerabilities on B&R products Incorrect Resource Transfer Between Spheres, Write-what-where Condition, Improper Privilege Management, Out-of-bounds Write, Multiple Releases of Same Resource or Handle Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2026-31431 In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly. View CVE Details Affected Products Impact of Linux Kernel vulnerabilities on B&R products Vendor:B&R Industrial Automation GmbH Product Version:B&R Industrial Automation GmbH Linux for B&R <=12, B&R Industrial Automation GmbH APROL <APROL-AutoYaST-DVD- V4.4-010.10.260602, B&R Industrial Automation GmbH X20EDS410 /all Product Status:fixed, known_affected Remediations Vendor fixFor affected products, software updates should be installed upon availability. Product Patch version - APROL : APROL-AutoYaST-DVD- V4.4-010.10.260602 Until remediated software versions are available, customers are required to conduct a risk assessment of their affected systems and to implement the mitigation measures and workarounds specified in this advisory. MitigationSuccessful exploitation of the vulnerabilities described in this advisory requires local access to the affected system with low-privileged user credentials. Customers are strongly advised to enforce strict access control policies on all Linux-based systems, ensuring that interactive access is exclusively granted to authorized and trusted personnel. This includes reviewing and hardening user account permissions and disabling unused accounts. Refer to section “General security recommendations” for further advise on how to keep your system secure. WorkaroundSecurity researchers have identified and validated the following workarounds to reduce exposure to the vulnerabilities described in this advisory. These measures do not remediate the underlying vulnerabilities but effectively block known attack vectors until patched software versions are deployed. Important: Customers are advised to thoroughly test their systems after applying any of the listed workarounds. B&R has no visibility into customer-specific applications running on the underlying Linux system. It is the customer's responsibility to assess whether the applied workarounds interfere with existing application workloads prior to deployment in production environments. For Debian-based systems within an active support lifecycle, kernel patches addressing CVE-2026-31431 are already available via the official package repositories. Customers are strongly encouraged to apply these updates immediately by executing the following command: sudo apt update && sudo apt upgrade A system reboot is required after the upgrade for the updated kernel to take effect. Temporary Mitigation: If an immediate system update is not feasible, the affected kernel module (algif_aead) can be disabled persistently. Security researchers have confirmed this measure effectively prevents exploitation of CVE-2026-31431. Execute the following commands as root: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead 2>/dev/null || true Impact assessment: Disabling the algif_aead module removes the AEAD socket interface from the kernel cryp-to API. This does not affect dm-crypt/LUKS, kTLS, IPsec/XFRM, OpenSSL, GnuTLS, NSS, or SSH. Applications explicitly configured to use the afalg engine or that directly bind aead, skcipher, or hash sockets via AF_ALG may be affected. To assess exposure prior to applying this workaround, run: lsof | grep AF_ALG Relevant CWE: CWE-669 Incorrect Resource Transfer Between Spheres Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C CVE-2026-43284 In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt external-ly backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data(). View CVE Details Affected Products Impact of Linux Kernel vulnerabilities on B&R products Vendor:B&R Industrial Automation GmbH Product Version:B&R Industrial Automation GmbH Linux for B&R <=12, B&R Industrial Automation GmbH APROL <APROL-AutoYaST-DVD- V4.4-010.10.260602, B&R Industrial Automation GmbH X20EDS410 /all Product Status:fixed, known_affected Remediations Vendor fixFor affected products, software updates should be installed upon availability. Product Patch version - APROL : APROL-AutoYaST-DVD- V4.4-010.10.260602 Until remediated software versions are available, customers are required to conduct a risk assessment of their affected systems and to implement the mitigation measures and workarounds specified in this advisory. MitigationSuccessful exploitation of the vulnerabilities described in this advisory requires local access to the affected system with low-privileged user credentials. Customers are strongly advised to enforce strict access control policies on all Linux-based systems, ensuring that interactive access is exclusively granted to authorized and trusted personnel. This includes reviewing and hardening user account permissions and disabling unused accounts. Refer to section “General security recommendations” for further advise on how to keep your system secure. WorkaroundSecurity researchers have identified and validated the following workarounds to reduce exposure to the vulnerabilities described in this advisory. These mea

Indicators of Compromise

• cve — CVE-2026-43284
• cve — CVE-2026-46333
• cve — CVE-2026-46300
• cve — CVE-2026-43494

Entities