CVE-2024-3094
CVE-2024-3094 is a critical-severity vulnerability in Tukaani Xz with a CVSS 3.x base score of 10.0. Its EPSS exploit-prediction score of 86% places it in the 100th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-506.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 86% (100th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-31700
- Weakness: CWE-506
- Affected product: Tukaani Xz
- Published:
- Last modified:
Description
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Frequently asked questions
- What is CVE-2024-3094?
- Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
- How severe is CVE-2024-3094?
- CVE-2024-3094 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-3094 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 86% (100th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-3094?
- CVE-2024-3094 primarily affects Tukaani Xz. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-3094?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2024-3094 have an EU (EUVD) identifier?
- Yes. CVE-2024-3094 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-31700.
- When was CVE-2024-3094 published?
- CVE-2024-3094 was published on 2024-03-29 and last updated on 2026-06-17.
References
- https://access.redhat.com/security/cve/CVE-2024-3094
- https://bugzilla.redhat.com/show_bug.cgi?id=2272210
- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
- http://www.openwall.com/lists/oss-security/2024/03/29/10
- http://www.openwall.com/lists/oss-security/2024/03/29/12
- http://www.openwall.com/lists/oss-security/2024/03/29/4
- http://www.openwall.com/lists/oss-security/2024/03/29/5
- http://www.openwall.com/lists/oss-security/2024/03/29/8
- http://www.openwall.com/lists/oss-security/2024/03/30/12
- http://www.openwall.com/lists/oss-security/2024/03/30/27
- http://www.openwall.com/lists/oss-security/2024/03/30/36
- http://www.openwall.com/lists/oss-security/2024/03/30/5
- http://www.openwall.com/lists/oss-security/2024/04/16/5
- https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/
- https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
- https://aws.amazon.com/security/security-bulletins/AWS-2024-002/
- https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz
- https://boehs.org/node/everything-i-know-about-the-xz-backdoor
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
- https://bugs.gentoo.org/928134
- https://bugzilla.suse.com/show_bug.cgi?id=1222124
- https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405
- https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
- https://github.com/advisories/GHSA-rxwq-x6h5-x525
- https://github.com/amlweems/xzbot
- https://github.com/karcherm/xz-malware
- https://gynvael.coldwind.pl/?lang=en&id=782
- https://lists.debian.org/debian-security-announce/2024/msg00057.html
- https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
Affected products (2)
- cpe:2.3:a:tukaani:xz:5.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:tukaani:xz:5.6.1:*:*:*:*:*:*:*
More vulnerabilities in Tukaani Xz
- CVE-2022-1271 — High (CVSS 8.8): An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's…
- CVE-2015-4035 — High (CVSS 7.8): scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing…
- CVE-2020-22916 — Medium (CVSS 5.5): An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file.…
- CVE-2026-34743 — Medium (CVSS 5.3): XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if…
All CVEs affecting Tukaani Xz →
Other CWE-506 vulnerabilities
- CVE-2026-28353 — Critical (CVSS 10.0): Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities. In Trivy VSCode Extension version…
- CVE-2026-48027 — Critical (CVSS 9.8): Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was…
- CVE-2026-8398 — Critical (CVSS 9.8): A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421…
- CVE-2026-44484 — Critical (CVSS 9.8): PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have…
- CVE-2026-6443 — Critical (CVSS 9.8): All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to…
- CVE-2026-34424 — Critical (CVSS 9.8): Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected…