CVE-2024-3094

CRITICALImmediate

Published:Mar 29, 2024(2 years ago)

Modified:Aug 19, 2025

Remote ExploitNo Auth RequiredNo InteractionScope ChangesLow Complexity

Vulnerability Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Attack Characteristics

Network AccessLow ComplexityNo Auth NeededNo User Interaction

🤖

AI analysis not yet available

Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.

No Fix Known

No patch has been released yet. Apply workarounds or mitigations where available.

Affected Software

Vendor	Product	Versions	Fixed In
tukaani	xz	-	-
tukaani	xz	-	-

Timeline

Published
CVE disclosed publicly
Mar 29, 20242 years ago
Last Modified
Most recent update
Aug 19, 20259 months ago
Indexed to CVEInsight
Added to this platform
Mar 29, 20261 month ago

References

https://access.redhat.com/security/cve/CVE-2024-3094Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2272210Issue Tracking
https://www.openwall.com/lists/oss-security/2024/03/29/4Mailing List

CVSS Score

v3.1

10.0/ 10.0

CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

At a Glance

Affected Products

References

tukaani / xz

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-raw...Vendor Advisory

http://www.openwall.com/lists/oss-security/2024/03/29/10

http://www.openwall.com/lists/oss-security/2024/03/29/12

http://www.openwall.com/lists/oss-security/2024/03/29/4

http://www.openwall.com/lists/oss-security/2024/03/29/5

http://www.openwall.com/lists/oss-security/2024/03/29/8

http://www.openwall.com/lists/oss-security/2024/03/30/12

http://www.openwall.com/lists/oss-security/2024/03/30/27

http://www.openwall.com/lists/oss-security/2024/03/30/36

http://www.openwall.com/lists/oss-security/2024/03/30/5

http://www.openwall.com/lists/oss-security/2024/04/16/5

https://access.redhat.com/security/cve/CVE-2024-3094Vendor Advisory

https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of...

https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used...Third Party Advisory

https://aws.amazon.com/security/security-bulletins/AWS-2024-002/Third Party Advisory

https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz

https://boehs.org/node/everything-i-know-about-the-xz-backdoorThird Party Advisory

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024Mailing List

https://bugs.gentoo.org/928134Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=2272210Issue Tracking

https://bugzilla.suse.com/show_bug.cgi?id=1222124Issue Tracking

https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0...Third Party Advisory

https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27Third Party Advisory

https://github.com/advisories/GHSA-rxwq-x6h5-x525Third Party Advisory

https://github.com/amlweems/xzbot

https://github.com/karcherm/xz-malwareThird Party Advisory

https://gynvael.coldwind.pl/?lang=en&id=782Technical Description

https://lists.debian.org/debian-security-announce/2024/msg00057.htmlMailing List

https://lists.freebsd.org/archives/freebsd-security/2024-March/000248....Third Party Advisory

https://lwn.net/Articles/967180/Issue Tracking

https://news.ycombinator.com/item?id=39865810Issue Tracking

https://news.ycombinator.com/item?id=39877267Issue Tracking

https://news.ycombinator.com/item?id=39895344

https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/Third Party Advisory

https://research.swtch.com/xz-script

https://research.swtch.com/xz-timeline

https://security-tracker.debian.org/tracker/CVE-2024-3094Third Party Advisory

https://security.alpinelinux.org/vuln/CVE-2024-3094Third Party Advisory

https://security.archlinux.org/CVE-2024-3094Third Party Advisory

https://security.netapp.com/advisory/ntap-20240402-0001/

https://tukaani.org/xz-backdoor/Issue Tracking

https://twitter.com/LetsDefendIO/status/1774804387417751958Third Party Advisory

https://twitter.com/debian/status/1774219194638409898Press/Media Coverage

https://twitter.com/infosecb/status/1774595540233167206Press/Media Coverage

https://twitter.com/infosecb/status/1774597228864139400Press/Media Coverage

https://ubuntu.com/security/CVE-2024-3094Third Party Advisory

https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lu...

https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-cha...Third Party Advisory

https://www.darkreading.com/vulnerabilities-threats/are-you-affected-b...Third Party Advisory

https://www.kali.org/blog/about-the-xz-backdoor/

https://www.openwall.com/lists/oss-security/2024/03/29/4Mailing List

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-raw...Vendor Advisory

https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-...Third Party Advisory

https://www.theregister.com/2024/03/29/malicious_backdoor_xz/Press/Media Coverage

https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094

https://xeiaso.net/notes/2024/xz-vuln/Third Party Advisory

CVSS v3 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploitability

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

Impact

ScopeChanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

Impact Analysis

ConfidentialityHigh

NoneLowHigh

IntegrityHigh

NoneLowHigh

AvailabilityHigh

NoneLowHigh

CVE-2024-3094

✦ Vulnerability Description

Attack Characteristics

Affected Software

Timeline

References

CVSS Score

At a Glance

Official Sources

CVSS v3 Vector

Impact Analysis

Vulnerability Description