XZ Utils vulnerability impacting B&R Products
View CSAF Summary An update is available that resolves vulnerability in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could cause the product to stop or corrupt memory data. The following versions of XZ Utils vulnerability impacting B&R Products are affected: PPC3100 <1.8.1, 1.8.1 (CVE-2025-31115) C50 <1.8.0, 1.8.0 (CVE-2025-31115) C80 <1.8.0, 1.8.0 (CVE-2025-31115) FT50 <1.8.1, 1.8.1 (CVE-2025-31115) MT50 <1.8.1, 1.8.1 (CVE-2025-31115) T30 <1.8.0, 1.8.0 (CVE-2025-31115) T80 <1.8.0, 1.8.0 (CVE-2025-31115) T50 <1.8.1, 1.8.1 (CVE-2025-31115) CVSS Vendor Equipment Vulnerabilities v3 7.5 B&R Industrial Automation GmbH XZ Utils vulnerability impacting B&R Products Race Condition within a Thread Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-31115 XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases. View CVE Details Affected Products XZ Utils vulnerability impacting B&R Products Vendor: B&R Industrial Automation GmbH Product Version: B&R Industrial Automation GmbH PPC3100 <1.8.1, B&R Industrial Automation GmbH C50 <1.8.0, B&R Industrial Automation GmbH C80 <1.8.0, B&R Industrial Automation GmbH FT50 <1.8.1, B&R Industrial Automation G
CSIRTS triage
- What
- A vulnerability could cause the product to stop or corrupt memory data.
- Who is affected
- Users of affected B&R products utilizing XZ Utils.
- Urgency
- Remediation is critical due to the potential for significant operational impact.
- Action
- Update to the specified versions or later.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch XZ Utils
Get an email when a new XZ Utils advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-05
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2025-311150.65% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 47% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2025-31115 | coverage & exploitation status | NVD · CVE.org |
More from CISA Cybersecurity Advisories
- highCISA Adds Two Known Exploited Vulnerabilities to Catalog2026-07-10
- criticalSchneider Electric PowerChute Serial Shutdown2026-07-09
- criticalOpenPLC v32026-07-09
- criticalSchneider Electric Easergy MiCOM Px40 Series2026-07-09
- highCISA Adds One Known Exploited Vulnerability to Catalog2026-07-07