Impact of Linux Kernel vulnerabilities on B&R products

Act NowCVSS 7.8ICS-CERT ICSA-26-174-06Jun 11, 2026

Manufacturing

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

B&R products running vulnerable Linux kernel versions are affected by publicly reported kernel vulnerabilities that allow privilege escalation. Exploitation requires local user access with low-privileged credentials and could allow an attacker to escalate to system administrator (root) level. Public proof-of-concept exploits are available; exploitation has been validated by security researchers but B&R reports no active attacks on B&R products at time of publication. APROL has a vendor patch available. For other affected products, workarounds include strict access control enforcement and kernel updates via Debian repositories where available. Linux for B&R and X20EDS410 products do not have patches available; customers must implement the access control and hardening workarounds.

What this means

What could happen

Local users with low privileges can escalate their access to system administrator level, potentially allowing an attacker to modify process configurations, halt operations, or exfiltrate sensitive data from automated manufacturing systems. This is a high-risk vulnerability actively being exploited in the wild.

Who's at risk

Manufacturing facilities using B&R automation products, particularly those running APROL process management software or X20 edge/IO modules with embedded Linux. This affects any plant using B&R's Linux-based controller or data acquisition systems where unauthorized personnel or compromised user accounts could gain shell access.

How it could be exploited

An attacker with local user access (such as through stolen credentials or a compromised employee account) runs a publicly available exploit against the Linux kernel vulnerability to gain root-level privileges on the B&R system, from which they can modify PLC logic, adjust process setpoints, or disable safety systems.

Prerequisites

Local user account with low-level credentials on the affected Linux system
Physical or network access to the system allowing interactive login

remotely exploitable via compromised user credentialsactively exploited (KEV)high EPSS score (26.3%)affects automation control systemslow complexity exploitationaffects manufacturing safety and availabilityno patch available for X20EDS410 and Linux for B&R <= 12 products

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (3)

1 with fix2 pending

ProductAffected VersionsFix Status

Linux for B&R <=12≤ 12No fix yet

APROL <APROL-AutoYaST-DVD- V4.4-010.10.260602<APROL-AutoYaST-DVD- V4.4-010.10.260602APROL-AutoYaST-DVD- V4.4-010.10.260602

X20EDS410 /all/allNo fix yet

Remediation & Mitigation

0/5

Do now

0/5

HOTFIXUpdate APROL to APROL-AutoYaST-DVD-V4.4-010.10.260602 or later

HOTFIXExecute 'sudo apt update && sudo apt upgrade' on Debian-based systems to patch the Linux kernel, then reboot

HARDENINGRestrict local interactive access to B&R Linux systems to authorized personnel only; review and remove unnecessary user accounts

HARDENINGEnforce strong authentication (strong passwords or SSH key-based authentication) for all user accounts on Linux-based B&R systems

WORKAROUNDDisable unused service accounts and remove unneeded interactive shell access for service accounts

CVEs (5)

CVE-2026-31431 CVE-2026-43284 CVE-2026-43494 CVE-2026-46300 CVE-2026-46333

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5bdc2864-09e6-4a63-ab52-b72349dd220a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.