B&R's APROL automation platform ships a Linux kernel with five privilege-escalation holes - and proof-of-concept exploits are already public.
Every one of these bugs requires local access with low-privileged credentials, but once you're in, the game is over. CVSS scores range from 7.1 to 7.8, with four of the five hitting 7.8 (HIGH). B&R confirmed no active exploitation targeting their products yet, but the exploits are out there.
The Bugs: Five Ways to Root on APROL
CVE-2026-31431 lives in the algif_aead crypto module. The kernel was doing in-place AEAD operations when source and destination came from different memory mappings, which is just wrong. Reverting to out-of-place fixes it. If you can't patch, disable the module - more on that below.
CVE-2026-43284 is about ESP-in-UDP decryption destroying shared page-cache-backed skb frags. When MSG_SPLICE_PAGES feeds pipe pages directly into an skb, and ESP input takes the no-COW fast path, you get an in-place decrypt over data the skb doesn't own. Mark those frags with SKBFL_SHARED_FRAG and fall back to skb_cow_data(). Problem solved.
CVE-2026-46333 is a ptrace dumpability logic bug. Kernel threads with no mm pointer get cached dumpability values, and the traditional drop-capabilities model didn't apply. Linus's fix makes ptrace_may_access() require CAP_SYS_PTRACE for threads without an MM. Clean.
CVE-2026-46300 is skb coalescing losing the shared-frag marker. If TCP receive coalescing moves shared frags into an unmarked skb, ESP input sees skb_has_shared_frag() as false and decrypts in place on page-cache-backed memory. Propagate the flag. Simple.
CVE-2026-43494 is a double-free in RDS. When iov_iter_get_pages2() fails, op_nents isn't reset, so rds_message_purge() frees pages already released. Classic use-after-free that a local attacker can turn into code execution.
The Fix: Patch Now or Disable algif_aead
B&R's fix is APROL-AutoYaST-DVD- V4.4-010.10.260602. For Debian-based systems still in support, kernel patches for CVE-2026-31431 are already in official repos. Run:
sudo apt update && sudo apt upgrade
Then reboot. If you can't patch immediately, disable the vulnerable module:
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true
Disabling algif_aead does not affect dm-crypt, kTLS, IPsec, OpenSSL, GnuTLS, NSS, or SSH. Only applications using the afalg engine or AF_ALG sockets will break. Run lsof | grep AF_ALG to check exposure before applying.
Why This Matters for Critical Manufacturing
B&R sells into critical manufacturing sectors worldwide. These are not desktop Linux boxes - they're industrial controllers running production lines. A local privilege escalation from low-priv to root means an attacker who already has a foothold on the OT network can take full control of the APROL system. CISA's advisory explicitly calls out that interactive access should be restricted to trusted personnel. If your plant floor Linux systems have loose user management, fix that yesterday.
ABB PSIRT reported these vulnerabilities to CISA, which published the advisory on June 23, 2026. B&R's FAQ admits that exploitation has been reported elsewhere, though not yet on B&R products. Don't wait for that to change.
Source: Impact of Linux Kernel vulnerabilities on B&R products
Domain: cisa.gov
Comments load interactively on the live page.