Machine-generated analysis · WAYSCloud LLM
The vulnerability stems from a race condition in the multithreaded .xz decoder within liblzma, which could lead to memory corruption or service disruption if exploited.
Context
The advisory addresses a race condition in XZ Utils' multithreaded .xz decoder (liblzma), specifically affecting B&R Industrial Automation products using vulnerable versions. The issue exists in XZ Utils 5.3.3alpha to 5.8.0, where malformed input can trigger heap use-after-free or null pointer offset writes. The vulnerability has been fixed in XZ Utils 5.8.1, with patches available for affected versions. Notably, no new packages will be released for older stable branches, but a standalone patch is provided.
Operator considerations
Check: Inventory B&R products running versions listed as affected, particularly PPC3100, C50, C80, FT50, MT50, T30, T80, and T50. Patch: Apply the standalone patch for XZ Utils or upgrade to XZ Utils 5.8.1 where feasible.
An update is available that resolves vulnerability in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could cause the product to stop or corrupt memory data.
Read the full advisory on CISA →