High‑Severity Race Condition (CVE‑2025‑31115) in XZ Utils Affects B&R Industrial Automation Products
What It Is — XZ Utils 5.3.3α‑5.8.0 contains a multithreaded decoder race condition (CVE‑2025‑31115) that can trigger heap‑use‑after‑free and null‑pointer writes, leading to crashes or memory corruption.
Exploitability — Public advisory; proof‑of‑concept code exists; CVSS v3 7.5 (High).
Affected Products — B&R Industrial Automation GmbH devices using XZ Utils versions < 1.8.0/1.8.1 (e.g., PPC3100, C50, C80, FT50, MT50, T30, T80, T50).
Why It Matters for Compliance & Audit Readiness
- SOC 2 CC6.1 (System Operations) requires evidence that critical software components are patched promptly; an unpatched race condition breaches that expectation.
- Continuous control monitoring of third‑party libraries demonstrates due diligence and provides audit‑ready proof of a hardened attack surface.
- Enterprise buyers increasingly demand documented remediation processes as part of their SOC 2 assessments.
Recommended Actions
- Inventory all B&R devices and verify XZ Utils version.
- Apply the vendor‑supplied update to ≥ 1.8.1 (or the version specified in the advisory).
- Record patch status in a centralized compliance dashboard to satisfy SOC 2 evidence requirements.
- Integrate automated version‑checking into your change‑management workflow.
Source: CISA Advisory ICS‑A‑26‑181‑05