Critical Race Condition Vulnerability in XZ Utils Impacts B&R Industrial Automation Products
A significant vulnerability, identified as **CVE-2025-31115**, has been discovered in **XZ Utils**, a widely used data-compression library. This flaw, a race condition within a thread, can lead to system crashes or memory corruption in affected **B&R Industrial Automation GmbH** products, posing a risk to critical manufacturing sectors globally. Users are urged to apply the available updates to mitigate potential exploitation.
# Critical Race Condition Vulnerability in XZ Utils Impacts B&R Industrial Automation Products
**CISA** has issued an alert regarding a critical vulnerability, **CVE-2025-31115**, affecting **XZ Utils**, a general-purpose data-compression library. This flaw has direct implications for several products from **B&R Industrial Automation GmbH**, a prominent vendor in critical manufacturing.
## The Vulnerability: CVE-2025-31115
The vulnerability, categorized as a race condition within a thread (**CWE-366**), resides in the multithreaded `.xz` decoder within **liblzma** (versions 5.3.3alpha to 5.8.0 of **XZ Utils**). Invalid input can trigger a crash, potentially leading to heap use-after-free errors or writes to memory addresses based on null pointers with an offset. This could result in the product stopping or corrupting memory data.
### Affected B&R Products
**B&R Industrial Automation GmbH** products utilizing the vulnerable **XZ Utils** versions are at risk. The affected product lines and versions include:
* **PPC3100** <1.8.1, 1.8.1
* **C50** <1.8.0, 1.8.0
* **C80** <1.8.0, 1.8.0
* **FT50** <1.8.1, 1.8.1
* **MT50** <1.8.1, 1.8.1
* **T30** <1.8.0, 1.8.0
* **T80** <1.8.0, 1.8.0
* **T50** <1.8.1, 1.8.1
These products are deployed globally within critical manufacturing sectors, making the timely application of patches crucial.
## Mitigation and Recommendations
**XZ Utils** version 5.8.1 includes a fix for this vulnerability. The fix has also been committed to the v5.4, v5.6, v5.8, and master branches in the **xz Git** repository. Although no new release packages will be made from old stable branches, a standalone patch is available for all affected releases.
**B&R Industrial Automation GmbH** has released updates to address this vulnerability in their affected products. Users are strongly advised to update their systems immediately.
### CISA Recommended Practices
**CISA** emphasizes several defensive measures to minimize exploitation risk, particularly for control system environments:
* **Minimize Network Exposure**: Ensure control system devices and systems are not directly accessible from the internet.
* **Network Segmentation**: Locate control system networks and remote devices behind firewalls, isolating them from business networks.
* **Secure Remote Access**: When remote access is necessary, employ secure methods like **Virtual Private Networks (VPNs)**. It's crucial to keep **VPNs** updated and recognize their security is dependent on connected devices.
Organizations should perform thorough impact analyses and risk assessments before implementing defensive measures. **CISA** also provides extensive resources on industrial control systems cybersecurity, including defense-in-depth strategies.
## Public Disclosure and Exploitation Status
This vulnerability has been publicly disclosed. However, as of the initial advisory, **B&R Industrial Automation GmbH** had not received any reports of active exploitation.
This vulnerability was reported to **CISA** by **ABB PSIRT**.
For more technical details, refer to the [CVE-2025-31115 record](https://www.cve.org/CVERecord?id=CVE-2025-31115) and the [CSAF advisory](https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-181-05.json).