CVE-2024-3094
CRITICALEPSS 100th pctlDescription
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploit Intelligence
Very high risk: more likely to be exploited than 100% of all known CVEs.
References
- https://access.redhat.com/security/cve/CVE-2024-3094
- https://bugzilla.redhat.com/show_bug.cgi?id=2272210
- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
- http://www.openwall.com/lists/oss-security/2024/03/29/10
- http://www.openwall.com/lists/oss-security/2024/03/29/12
- http://www.openwall.com/lists/oss-security/2024/03/29/4
- http://www.openwall.com/lists/oss-security/2024/03/29/5
- http://www.openwall.com/lists/oss-security/2024/03/29/8
- http://www.openwall.com/lists/oss-security/2024/03/30/12
- http://www.openwall.com/lists/oss-security/2024/03/30/27
- http://www.openwall.com/lists/oss-security/2024/03/30/36
- http://www.openwall.com/lists/oss-security/2024/03/30/5
- http://www.openwall.com/lists/oss-security/2024/04/16/5
- https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/
- https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
- https://aws.amazon.com/security/security-bulletins/AWS-2024-002/
- https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz
- https://boehs.org/node/everything-i-know-about-the-xz-backdoor
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
- https://bugs.gentoo.org/928134
- https://bugzilla.suse.com/show_bug.cgi?id=1222124
- https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405
- https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
- https://github.com/advisories/GHSA-rxwq-x6h5-x525
- https://github.com/amlweems/xzbot
- https://github.com/karcherm/xz-malware
- https://gynvael.coldwind.pl/?lang=en&id=782
- https://lists.debian.org/debian-security-announce/2024/msg00057.html
- https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
- https://lwn.net/Articles/967180/
- https://news.ycombinator.com/item?id=39865810
- https://news.ycombinator.com/item?id=39877267
- https://news.ycombinator.com/item?id=39895344
- https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/
- https://research.swtch.com/xz-script
- https://research.swtch.com/xz-timeline
- https://security-tracker.debian.org/tracker/CVE-2024-3094
- https://security.alpinelinux.org/vuln/CVE-2024-3094
- https://security.archlinux.org/CVE-2024-3094
- https://security.netapp.com/advisory/ntap-20240402-0001/
- https://tukaani.org/xz-backdoor/
- https://twitter.com/LetsDefendIO/status/1774804387417751958
- https://twitter.com/debian/status/1774219194638409898
- https://twitter.com/infosecb/status/1774595540233167206
- https://twitter.com/infosecb/status/1774597228864139400
- https://ubuntu.com/security/CVE-2024-3094
- https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-in-docker-images
Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-08-19.