HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

High‑Severity Race Condition (CVE‑2025‑31115) in XZ Utils Affects B&R Industrial Automation Products

CISA has flagged CVE‑2025‑31115, a race condition in XZ Utils that can corrupt memory and crash affected B&R industrial controllers. The flaw scores 7.5 on CVSS, making rapid patching essential for SOC 2 compliance and uninterrupted operations.

LiveThreat™ Intelligence · 📅 June 30, 2026· 📰 cisa.gov
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
3 recommended
📰
Source
cisa.gov

High‑Severity Race Condition (CVE‑2025‑31115) in XZ Utils Affects B&R Industrial Automation Products

What It Is — XZ Utils 5.3.3α‑5.8.0 contains a multithreaded decoder race condition (CVE‑2025‑31115) that can trigger heap‑use‑after‑free and null‑pointer writes, leading to crashes or memory corruption.

Exploitability — Public advisory; proof‑of‑concept code exists; CVSS v3 7.5 (High).

Affected Products — B&R Industrial Automation GmbH devices using XZ Utils versions < 1.8.0/1.8.1 (e.g., PPC3100, C50, C80, FT50, MT50, T30, T80, T50).

Why It Matters for Compliance & Audit Readiness

  • SOC 2 CC6.1 (System Operations) requires evidence that critical software components are patched promptly; an unpatched race condition breaches that expectation.
  • Continuous control monitoring of third‑party libraries demonstrates due diligence and provides audit‑ready proof of a hardened attack surface.
  • Enterprise buyers increasingly demand documented remediation processes as part of their SOC 2 assessments.

Recommended Actions

  • Inventory all B&R devices and verify XZ Utils version.
  • Apply the vendor‑supplied update to ≥ 1.8.1 (or the version specified in the advisory).
  • Record patch status in a centralized compliance dashboard to satisfy SOC 2 evidence requirements.
  • Integrate automated version‑checking into your change‑management workflow.

Source: CISA Advisory ICS‑A‑26‑181‑05

📰 Original Source
https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-05

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →